23542300x800000000000000055901755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:06.493{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C1878E8B2A0E2AD783DFC870061FD9,SHA256=7074A43F138797B04911310680CC8F69DF344CEA93BF729575DC76A1B58B0917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:06.580{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8012F817E2E6C0FFF5E53B0F92409E,SHA256=ABFABD96578037C314BC112AD64479E0600A67C712BF6A7BFC3B0EECD2102B8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:14.580{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61342-false10.0.1.12-8000- 23542300x8000000000000000107399239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:06.237{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4A4D69B8B56A8E6267B97B33EABA806,SHA256=D2924B6B6F10486F5294C700F733B3220E6F12FD1A4201B29BBB377631BFA825,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:07.508{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D922217B206C17B556BF7B1E91F5DF,SHA256=EC285CCE18D8932FA4601C8518FC932D6DA3D87414B23BAC3389371E670968DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:07.580{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36223FACD71E49F299B64F47C649ACE6,SHA256=86A2AB44A745C4CF46B42302C9EADA76A9DFA7127F2127B92982BC5B05A021BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:15.330{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61344-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107399243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:15.330{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61344-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107399242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:15.236{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61343-false10.0.1.12-8089- 23542300x800000000000000055901757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:08.524{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF4794D1E3EEF7CE0305ACA20CE8377,SHA256=98B9D40E2F1EEB8739C719656656BC266303A7538416AFD6212110A3DE547CA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:08.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4A79F24D5027EA512791BDBB289D8B,SHA256=B20BFB02B4D975A22C7648FD54CFCC90F40CEF977F2E2370D7179A001BE979E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:09.540{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4284798FD39C6841A258051D0EDD29F5,SHA256=2E80947909B18EA71AE81FDCC94E1460AB0FB915A9C6FE66646F0DECC3506AC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:09.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502B67084A345622A2A08E69056801DB,SHA256=DC466BA74F2FB251BA5621B748A659DBE2A0222C6DEBE5299327B96D125AA5C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:10.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B5F33BF8C33D0A5EB24E37FD4C34DA,SHA256=EE381A4BB7C2032BCEBCED681B56D652E2BF66AC06F64ECB5851B949222F1D81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:10.555{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EBEE252E40612F600631D4DF16CC58,SHA256=34768984A5B81A83FCEBE131997C201B5A8CA42BC8B39BEAC9F93EB379ADF0B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:11.643{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7E00913C1E2063CBC7B9CE17001CA0,SHA256=A5A108CF885E2F2B64831658971E5F6AFD60852E9CD3F1E2D855CE2FAAD3B7EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:11:49.656{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62737-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:11.555{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82692DB6C5FBF7CD30F7D40E0CA0097C,SHA256=C0205AD7C9C937FE786374566968BD11DC21C526DD8249893342604A7418FEB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:11.221{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE43FF3F66AD2EF9F0B6CE93EE58C24,SHA256=4C9A8A67AE23D1E156DAB43B710B703DD6BED24F8E594943C5B2DE731163BC03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:12.799{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87314B2DB9400186119E5FEF429CE372,SHA256=1875C566618DC852A06A0D6AA4EDB3835B63C621B4776CFBA256B7B707EB8054,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:12.571{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F2B5C97BDC643F3B89CEDE0B29E366,SHA256=F331485056FAE12E4668303E2D5826DB6965C5331E4F4AEC62B404FF3915DEC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:19.609{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61345-false10.0.1.12-8000- 23542300x8000000000000000107399253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:13.971{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEF86D9412D378B57AC97F1263DB674,SHA256=8FFC57F1329ADBEFEFFE83CD1F2847CC7F4BE6213076EC87F99F42C4AA12854D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:13.586{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39917881B462FEC92CD83627FBF5A78A,SHA256=FFEC5307A26DE18FC00377CFF8F9EB499CAF51BAEFA03DCD12D1F00C966B76E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:14.602{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6DB501526B2702F9DDA728993BC330,SHA256=EB3B7214DF0CE062A63E7C0E99C58B81040E8F279ED35811728A05C109D9A573,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:15.618{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F139E845E00769EF6B377F52B9E9B303,SHA256=2001785085FB10BE64704C916C3E7D7654DBE694CE842E161ECB97D2DDED1048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:15.049{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6497276D15AAA14279E626D337C01963,SHA256=7A07778424E16F048259495833E6B649E5BFD3ABE3506584DDD3FB2399018215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:11:55.576{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62738-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:16.805{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503D896D152CDDCB227C9AB5F8A15441,SHA256=A0D30635C35474F2FAD15D0E81093BC5894E561E8FC54C2E85AC391F2B502311,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:16.268{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAECB84762B60D590431FFCFDE1681A5,SHA256=6DE5D2D97A036D7B410EEF377F096499A95EB7A3E2DDCD58B11E9C9447F9A0A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:16.268{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0396210D9723322AEB8BA397E73DEE36,SHA256=36FF932444D82E53BC6747669650D7F8750EE464FAFADC041D00DDE04B186168,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:16.221{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A0C565877237918EAD4BFA7383B9CF,SHA256=2E03C5EA3119CC180F87D500C37DDAD95AEC755E6C1604BDFE52D79471B0D275,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:17.868{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0104EF2DC37EDABBC0674D0D5884F1,SHA256=6B5AC8717A1F205BB225C50195483FD2E492F68D20C43CFBCC5CA752634D8E10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:24.624{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61346-false10.0.1.12-8000- 23542300x8000000000000000107399258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:17.237{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4835AD5A536B7163A03F6FE16D03609,SHA256=E966D09FEEACD80478956DC59AF2FCD1038821F73283FEF4D7EEBB6C33705806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:18.471{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D572FEF22563ABB2296B2CAA319D0A2D,SHA256=D23232CF459876B5C0D677CB7B78CEF86D821F7BB384DD1E7DF831C8E834B34C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:19.565{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26898C1F79BEBCDCC0E272E958FA77C7,SHA256=A44EA7FB624DF572953D935436E75D702FACD6163779DA4DA362D677A7B79426,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055901798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.274{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055901769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:19.102{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE589C0BB8C2FAB3F80F06DCE40072D,SHA256=A95243EB968A3F3332E94A5BB4F924EF95136571A040C7AF5C4515163BCACD28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:20.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85BFF0CBB52EB5956AE42A845B064F0,SHA256=60B6A98BD6D11DC41F1F719F7497617C20EEB3392554BC6ECE2F650786898CA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:20.415{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D65036A626A115442A8835D21E1593,SHA256=21C40EE6D087AA588C3DF8518A0986AA17254C90CD9461B820DAB7EDE5F4CBB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:20.580{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=456F81DBFE5F9EB219F5CDF74171A295,SHA256=8D8A352A562F909F63C33397FC3CB9811A4C4F94239693F3F545815B05F73D0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:21.430{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059D792AE5BC2CBF69F1EF254A0658F3,SHA256=1E64FD3364B84C7DCFE04490D7DC384ED53CB51CB86ABC0D758A02BFBA232C76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:21.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1BE2E5A426A1A5161929809F7F5C2B,SHA256=1C7A67FF5BAE777255A98081FF53D65A77CADF85DD6C2D1D4FF70A8BDD169095,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:22.461{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF3EC93B98299E7737DB9C7E436C034,SHA256=54E99FB211E250E0FD8992B71DBC11202EA2BE4BDB6B652CDB62AB4F3D933022,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:30.531{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61347-false10.0.1.12-8000- 23542300x8000000000000000107399267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:22.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D083A40706FB9BEF519B3F54A5ADA9,SHA256=BBCDB59DD58190FF8E07789EFBB63F8E117D2F747D5462D2AD30071E741F9EE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:00.591{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62739-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107399266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:22.143{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DFE343E8FF66F03D64272E287479F39,SHA256=A2E519FBB3B735B9117675AE2093E06AA969296660E20A59E174A6CD442F9195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:22.143{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAECB84762B60D590431FFCFDE1681A5,SHA256=6DE5D2D97A036D7B410EEF377F096499A95EB7A3E2DDCD58B11E9C9447F9A0A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:23.696{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED49184BD99C1CAAB9F54EAD523496CE,SHA256=EE723A79FAC8D781C183B9ECD19605C57C771727E0078BF56FBAEA83F099BA5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:23.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810C05382D7E996414C5383DAC4B8F77,SHA256=64752789DE86BD54041840A659BEA8BBD27DF4FB90A643E4ADB27995B764638E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:24.711{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AA18BE46A01B76C39134C6D2226081,SHA256=ABA5E05299EA96A2C2498D66F56CB29F7017D326A7FE49AC8D390F29A736ABB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:24.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D060119B54198FCBD46AAB6FBBF44F70,SHA256=167D5AD23EEC56FDD2C0B4FFAC76B40669CFBABAC2E937FD95706BB1B3ABD412,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:24.524{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:25.774{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BE9B5DE9B016A875605768C1D73489,SHA256=B074491B0ACAC3244469827CCD32166B704D1D8F8D8CFA2EDB6156E55276C3BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:25.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1C7695577AF8E9F2DE13815C5357CC,SHA256=2542DA8EF9C22448435A1097192AF39ECF537C1B89F99E672DD6016E9717FD0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:26.839{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7235E26B68FB23D778F2E8885E055F,SHA256=E02E133B531B132FE5EBDEE0741B4D0523BFAB3CD1B7D9966C5C5ED1AC0F1200,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:26.646{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FF211B9E50F3F07F647C4D3ED36284,SHA256=E52B4713782D92FE575FB0BE74909B28B23306FA57A793C2C4E30FFBD297FDDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:05.059{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62740-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055901810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:27.917{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2651E4A945032A9718DFEF66E9CCE38,SHA256=E608BCB648DA1C189B4F5EF3A3D6F2B82404C20FE210400F96F1795AAB079556,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:27.646{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23232BC5CF51F78BDE9853D4D757B34C,SHA256=8C96AF66AE8FCF90AECD1B035A26C437EF50EBE46D91D4B7460FC288D6034C50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:05.669{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107399274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:27.208{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7A9C431E677B928B1CC686FBDFD94E3,SHA256=2013A74D5782908FAA29B1CE3A807A834ED92A8EACDB2DA78978C278A8FAFE2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:27.208{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DFE343E8FF66F03D64272E287479F39,SHA256=A2E519FBB3B735B9117675AE2093E06AA969296660E20A59E174A6CD442F9195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:28.724{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5963D9F3043438CB1E12BD9420B87CFE,SHA256=8F827AFBF697AD08593E185F48C04F51D33A9021151402B3A408C40B48953766,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:35.609{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61348-false10.0.1.12-8000- 23542300x8000000000000000107399278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:29.943{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0E2B1DFC802785483E7A81F464E33F,SHA256=CC5525ED35DB505E6FE544B01B19F4A24A028412ABA6F08197BB25102D1BD0DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:29.027{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41F8DBC297BB364EE9A6705ED641E1E,SHA256=B0BE4149DBA7D9B01132D29465E98BEE5E78B45186508C1208949AADE73667A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:30.167{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846A53BC525D2D4A99F61AC1522B127C,SHA256=A5D96E3908566DE68E1E3D4AE8C56937ACDE2458FB58C07F6EB479D4BECF6792,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:31.198{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C2A420AE98BB67D284314B7547F24C,SHA256=78E75405C1592BAD5E2B1A148F7FC107A2A453DB859949FEDBFACCE1438F7356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:31.178{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B507CEBB5B03FCAF447D46AC650EC7,SHA256=1F661FA71212EBE71BF3D7DB33366FB2EDC719292EBCCC89865F73B204CE6CD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:11.656{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:32.230{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62910D8B26E40EE4F6B0B26C1E54EFDD,SHA256=7F48F85E1CF4DD25E1ACEA6CEAF82B22AF8AD058E5D979758E479D58CCDA19A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:32.192{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A22BD1160D7618A5DA3D280827468C,SHA256=B03DA0CF10838017C513C9B85D9A874A75C97539363443729CC9597D2DE06609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:33.261{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA4CB7275B6F6B0C6D53EBA5036604A,SHA256=4E8ED3531D7BC7627842B617B9C3727E9E3A0556D525BEA0892D2D591F1DEB48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:41.439{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61349-false10.0.1.12-8000- 23542300x8000000000000000107399283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:33.211{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65893334A06431ADE73B6486203086C,SHA256=A537B67E325349A1B8C86FAF861E8AF017C787D8D1BB1AD4357A3E756B29B441,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:33.039{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90C6AF976D1E1C4A3A095FB86BC39E76,SHA256=FCFCBD5FA779B1BFC0C5B0F72CBF7F571339B984902481392AB8CE6747E00644,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:33.039{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7A9C431E677B928B1CC686FBDFD94E3,SHA256=2013A74D5782908FAA29B1CE3A807A834ED92A8EACDB2DA78978C278A8FAFE2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:34.430{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57651C94ED23890A0881555542A1EBC2,SHA256=CCDBB262F8D6CDBB05AFE8A874B44C01247A82AB0423A637C496366180955DCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:34.308{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C177BEC6ED9F897B77116B0668C7C3,SHA256=148087D06475C38B4572718F66639CC066B0E109A14DA07C33A802720E509CDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:35.492{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854D80FF8A5F111DBD488B4963B7FF91,SHA256=47C8D97A4DBD0E0878C4A02701CB75C10E6CF2662FF4C5CE34F8E9D7F1EC2256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:35.323{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F59A06336B11685017F712B696F13F3,SHA256=C2E60256BA668E49191199D1732B0575C21664C62D3379A31239D8B54634FE5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:36.355{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67D4D71D6E31938B160E6234CA76893,SHA256=7FDDBB93F3EFFEA170566636E92EA9CB38FDBA7F90EBA84D56D96598E679BE94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:36.508{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A692065CBF89A84D96A7B28C829860,SHA256=DF4991B7726825041BC6709C4BA2CFC42238D470CD31728C7EE63228A8FC98D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:16.812{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:37.370{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D10ED05EB6F85966B8E3A35A70B80FB,SHA256=55DAFF884860BCC657E2BF5F350C9589E3CE4CA64A0B967069877CB4DA2A42CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:37.508{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67AFE7EF1A3EFA95B2092573F7A8888,SHA256=4BD7CD75AD834B9AAAF001211B3EA646DD77AF361600F7D9A25880D693F59614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:38.402{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C451789E66C788C8BF4EF96CC265920,SHA256=E215D04D1BDA8DE0C5550778359F1BF4438536E9CB547087F1FCE03C113D718F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.443{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61350-false10.0.1.12-8000- 23542300x8000000000000000107399291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:38.508{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAEA1592F072B66BC66983B14B6DF2D,SHA256=BB8B40E86BF1B44EB9263C7365F134B378ACEAAD030B372719FF9A04D2B9AD4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:38.039{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9709C01A743AD8D2E73DA8CF9C99D45,SHA256=3715EE566DD36A12E2557462330995E2C22FCEA4F2CE1DC5F823E3883618070D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:38.039{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90C6AF976D1E1C4A3A095FB86BC39E76,SHA256=FCFCBD5FA779B1BFC0C5B0F72CBF7F571339B984902481392AB8CE6747E00644,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:39.617{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA737CC5F8525A100B05831C844BDC53,SHA256=D9C844CE143A4D54C7A4799599AE6D850FB73AC1B0BFE2CB8CB48D92A2BA8ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:39.433{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9305F1B06326162B468A7EC6ED6CFEA,SHA256=18DEADF8B011B2C82F1202BF52B259EFFF68A310466F555B0C436C0597AFF334,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:40.617{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F9C8D04819DDD1D1A772A6464ACC01,SHA256=677764528D2082B2F21E9BDFFA3508757AFD6CB985245A99AE2DF2E67999BBD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:40.464{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334126E90EA506EA2A0FD78F9F8C0475,SHA256=7722EEB79DB22AD567CD793348E5DE0FABBC1069CFE7BCF7A1CEFA269049AA2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:41.511{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B33A6A8C09F6AF85C970C9FC8BE30D,SHA256=FF24D9F53A93C1392D0BBBBC7681B09C79950D4815150954901D1CB6CC0CFA84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:41.617{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1675C5FE495228591A40B721668453AE,SHA256=21576878DC3C0C6DF27B4A771083E96E3730D6ACE47DDB41971623068610C5B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:42.542{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1D38BC301CDB316C3A44078E0DFD18,SHA256=FE634002483F09A9D8F45205978BE266C610C19EB5BEB76634BA066460D2ED24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:42.617{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD396D03D7559DF289337F0AAE439E7E,SHA256=E9BD24A7A93183C4A71C9F743392E62EDD70AFF3006AA824CA5E7534E3BB18BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:42.320{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9709C01A743AD8D2E73DA8CF9C99D45,SHA256=3715EE566DD36A12E2557462330995E2C22FCEA4F2CE1DC5F823E3883618070D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:22.608{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:43.558{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9A7537B91D8861F282B79CFFCDD814,SHA256=8A85C6975047E6394680AD09B5AB45BECA13C1E3AD4A19DF0B3E45513C399B58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:43.617{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7FB4AA16934BD6D41B214AF2D1F813,SHA256=73014092BA0B66FC2394939444E35F06909D3613464CB0864FF2537A2F1B3233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:51.552{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61351-false10.0.1.12-8000- 23542300x800000000000000055901829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:44.589{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BD06C5A12A846EEBF4D8D7686AC620,SHA256=E4DE61B72B6EA5CE3C51F02993B0245292F5EE2CC03B5BA2A8B779D738680B13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:44.617{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28A289AE35B65A69DF58494982989B4,SHA256=D9BE86897D3023F8662FFC2228459C1CF4EF9BD624910945D33D3643AB812340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:45.605{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B998B1365368F56812B5C03293C192,SHA256=9195856F7B43EBF06CF8A83B098AD44A7D57F02446E108DFBC37672DF8038FB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:45.617{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483030BE2686038CEF6056114B1996D8,SHA256=B81E069CA3E5328B3DE6DC1AA18677CEAE60BED06AAC4AD715DA55DA193BA3C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.822{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE12A9E0B00CF6B520B729B524DDE04,SHA256=6D8552116389127BDF13098B688932DD07774F8292F38843509F5D3EF0BB7252,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107399357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.713{3BF36828-A08E-618E-CA10-01000000CC01}59725316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.713{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.713{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000055901858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.937{B81B27B7-A08E-618E-3342-01000000CA01}29882156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A08E-618E-3342-01000000CA01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A08E-618E-3342-01000000CA01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055901846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.781{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A08E-618E-3342-01000000CA01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055901845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.766{B81B27B7-A08E-618E-3342-01000000CA01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055901844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.609{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B06E387D5427D768ADB502AC7EEFDBC,SHA256=BE698FD26DA14CF8324B94BAA173B35733987C8AF9620A4DA193E3883A0BA2B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055901843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A08E-618E-3242-01000000CA01}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A08E-618E-3242-01000000CA01}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055901832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.105{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A08E-618E-3242-01000000CA01}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055901831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:46.090{B81B27B7-A08E-618E-3242-01000000CA01}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107399354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.572{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.572{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.572{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.572{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.572{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.557{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107399340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107399325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107399313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107399308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.541{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:46.526{3BF36828-A08E-618E-CA10-01000000CC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055901861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:47.625{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FCBA70C5075AF45BFB34083B61E428,SHA256=C423D4ABD87FEC82FA18342830D9F3037B5796A69144341DDE84D47E163AAAFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.854{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.854{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.854{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.854{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107399454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107399448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107399442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107399439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107399438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.838{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107399428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107399426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107399423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107399418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.822{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.810{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107399411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.807{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BDF9CE6D617E9A7047157EE7CD8593,SHA256=A8B43CD76ADE1DDC05CEE8722FABD780E62B6A57CD329B03A7A400E4AB44E47F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107399410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.400{3BF36828-A08F-618E-CB10-01000000CC01}42565068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.400{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107399408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.400{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.385{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107399406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.275{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ECF8DDA4163388E2213A9712D4A4C81,SHA256=CA3E8252CCAFA5EF610446DA2AE725D39DD67CA95157FE19E5EF7746411C7B5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.244{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.244{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.244{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.244{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.244{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.244{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.244{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.244{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107399385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107399370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107399365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.228{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:47.214{3BF36828-A08F-618E-CB10-01000000CC01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055901860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:47.094{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A487AD2BBE93A6FD218DF3CCD96674,SHA256=C64C7C31EFBBC89DED73F9770320A39032DACF0257A70900BD356D15F3321B60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:47.094{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=438D79AC6B6DD3C3CD433619A097EFD3,SHA256=ECA0E509C8E748004BA86B23DD5B79839AFE136535C94F43ECB0C8D1D0051137,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.838{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E1FC66BAC076E0D7A50392EA1188C7,SHA256=A98BFB816F07C58198B4E1355E4D58C6ECA7E406517A841850696B5297C7479F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:48.640{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2699DAB28EC35E22F968707DC3E01EA9,SHA256=B93C3693A28182B5A1EE15A15E7702F1A07AD06D657D5BC300C0B942D31D3559,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.619{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107399523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.619{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.619{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000107399521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.603{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.603{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.603{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.603{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.603{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107399516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.478{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D843EA5E14BF536C312192B573B6A6,SHA256=E5ABD34D6C0D3F39558C6E448C1B94C689E75C71F5CED50646176A9ADAB0A1E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.463{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107399496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107399480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107399479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107399474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.447{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.433{3BF36828-A090-618E-CD10-01000000CC01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107399467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.400{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8313B505CCA9DE129B4543CFEA75FE,SHA256=48C94B4B240074CD2E2F67310B6A916B3A4FF9798A269B4A5F540B734712C447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.010{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107399465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.010{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:48.010{3BF36828-A08F-618E-CC10-01000000CC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000055901864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:27.707{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:49.703{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13009CBA433798F218630E3BF764646,SHA256=2B1607528D3E7FC7CE148DAF32013ECA0F6BA77A66C6225F62DBB856BD53D4A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.978{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107399629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.978{3BF36828-A091-618E-CF10-01000000CC01}44524092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.978{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.978{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107399626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.838{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.838{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.838{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.838{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.838{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.838{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.838{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.838{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107399606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107399591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107399586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.822{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.807{3BF36828-A091-618E-CF10-01000000CC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107399579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:56.554{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61352-false10.0.1.12-8000- 23542300x8000000000000000107399578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.432{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A530B2B81D207450D827F9B2F8DF2C0,SHA256=836D635FDD12BEC73DE04385CE35C0ECD284ECF41CC379E8FA7996973F07D7C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.307{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107399576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.307{3BF36828-A091-618E-CE10-01000000CC01}6082564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.291{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.291{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107399573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.150{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.150{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.150{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.150{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.150{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.150{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.150{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.150{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107399554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107399540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107399537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107399532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.135{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:49.120{3BF36828-A091-618E-CE10-01000000CC01}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055901865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:50.719{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB167C27A7F74DC19E50A608509430A,SHA256=F9BC667FAA248361959FB4112CA480D10CE09FC824900C8CCE06ECFF01ECD1BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.838{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C80C286F7A988914850F4FEB6AE074,SHA256=57785AEF6B8F17CE8F95A2D29E5266DDE57CB348F856AC63D15A6EF9E48662EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.791{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34089035F6F5815FAB65514A28CCB63A,SHA256=25853BFDED76F714524890542B2369ECA3986B931FD72E1C36E65B1B348FFB1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.666{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107399687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.666{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.666{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000107399685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.619{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.619{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.619{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.619{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.619{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.525{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.525{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.525{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.525{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.525{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.525{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.525{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107399667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107399648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107399644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107399639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.510{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.495{3BF36828-A092-618E-D010-01000000CC01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107399632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.135{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3432C23539F7215E37AD254BEBFC4DBC,SHA256=159F20809D189977808279A46F4616284C83C80DD98234A9D0C2B30C7E0F37F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:50.103{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE3DC2A7FA33BE6C6BE02F13520072E,SHA256=ED19DBCC6B8080716C2562DB7AF7F1AC4F4E37A3665A9978F1E1D09718A11DF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:51.750{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FED31783F866EB59E3DC715F3C2FA8,SHA256=5EDBB98FEE98E3084CE6CDDC35F6049B74C81519730CA8133315046D200CDA3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:51.072{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D6D5D19F9C8FB0F259319B64BBC8EF,SHA256=CF0E8348EC9B7D5FE0BBE1DFA62F0B6120C24ADF6760481D4BCC9C7C8D637379,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:31.591{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-987.attackrange.local63507-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 354300x800000000000000055901868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:31.588{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:787e:898e:ffff-63507-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x800000000000000055901867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:52.797{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE968A383582836A6B6C17F1A75C7817,SHA256=4739AF17A722257C4443971B7C1C6A65E5168D30BF1210AEB24C9AC323F76A91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:00.452{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63507- 23542300x8000000000000000107399693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:52.307{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B54784BD8345FE0A730E70EB4A81C17,SHA256=3822AC06CAD80F508E01E6D433CE3A83FF6F2212B612B9BC9D6061BAF2D69AE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:52.088{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74E08247563511ECE4A2BFFF22D4E532,SHA256=680648492E32E901837B88D9C3D99074751ECDBA21E6C3EF8292468DD62A86FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:31.601{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local62746-false72.21.81.240-80http 23542300x800000000000000055901870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:53.829{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CF89FF8E35AA313A6C9555CF69F025,SHA256=9FFE1E5C6CD619B350465CEB365E63E279DCC85C8A55CA93386624ACA88A69DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:53.338{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBF1C9D774BF4E1FF5E71FE45BF305A,SHA256=333CC93D86CB9C6625FDD4D27E5551829E8CA102B2F5F9A62454061CED5E8456,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:33.753{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:54.859{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA941FB2406C5C72B37D153ED1C0680F,SHA256=A5823D7773B1AC19E4E80B6FD4656F97D63B2A21DDDB22365C9DC1B50932E872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:02.570{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61353-false10.0.1.12-8000- 23542300x8000000000000000107399697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:54.400{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41DF0E242DDB865CC88C659205C9C8A0,SHA256=5D83E637BFB3DCD94385D84C1E81099BB91E4976070AA41FDEAE2D19B7B4E5FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:54.338{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FC9372716D1FE1950945244DD3E9E5,SHA256=485D490792796ED1B5DC628CF30538A7D1D9AB486EFCDEF286F87260EFA909FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:55.875{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC752AF95F2D9560E8D5078CB29EBD3D,SHA256=68C6389D0B7E3C64E9852A52CAF5C22B1394F90C7A0E8EEAC4054BBE78A23019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:55.338{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3D29C0C3C4818510607FD63FF777EB,SHA256=26541042DED9C99665DF8925D639501BD47E7E1A26221AE3C84881D4521CB6BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:56.557{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F78DEC113764E62154007D6AD20529,SHA256=DF50E2BE0B6255C7FE848DCFA47F0070368751DAC2C3D4CF13D5CFFAA0CB907C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.906{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7755A73135DC621A3DAA903DABBF03BA,SHA256=01D5DC86B26224AE160546D831229BE8BDE3F31674AFA63B41B4BB878CC51909,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055901888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.828{B81B27B7-A098-618E-3442-01000000CA01}57446004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A098-618E-3442-01000000CA01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A098-618E-3442-01000000CA01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055901877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.531{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A098-618E-3442-01000000CA01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055901875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:56.516{B81B27B7-A098-618E-3442-01000000CA01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055901905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.922{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F00EA5C6E21EC1CBB6D77EFED156DD,SHA256=F00A8B2D3FBB11609897EEB1A86565E3F370C11062B98D05EF94EB435E0D7A7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:57.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222ABAABE48214E265B37D249EA28B80,SHA256=66AB21A24B7822767B18207D50F869C3E31648C63845477AB3E85B2797A5B152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.531{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2FF943B7AD1BAADB6462644BCD7197,SHA256=7A24A6D592644C0D7633D7DC15CE9F7B0E30ABE132FC3ADB3B674692443B4884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.531{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A487AD2BBE93A6FD218DF3CCD96674,SHA256=C64C7C31EFBBC89DED73F9770320A39032DACF0257A70900BD356D15F3321B60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055901902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A099-618E-3542-01000000CA01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A099-618E-3542-01000000CA01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055901891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.219{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A099-618E-3542-01000000CA01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055901890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:57.204{B81B27B7-A099-618E-3542-01000000CA01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055901906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:58.938{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39CA417F7EE1015D8BBFFF983432D15,SHA256=CB60AC31FC17D734566EFF2909064D03812698660530C1BB1E632512BC14BEA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:58.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD816736CEA2E7FBC3C8DF2298335E6,SHA256=1DFED7A5B004A06773CF9443215825EC46A61ADD133A2C9B7ACFB106A65020B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:59.972{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A6F2B9B4F76DCEE7FD4E913227B92E,SHA256=AA2170821F81C372FF7685EAA6D492595EF48A684B24ABF9B55F2FF4D46D6026,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:12:59.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A67C9B8F3E9571F197BD5EBA20EA08,SHA256=E1AEFE7B4C3EA9CE8C1999D85F2FA3845107DCCFF544FC45FEDCFE2BB96B76AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:00.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE73578FE4B9115A9A7F45063640A618,SHA256=15D2FE76844DF1C939C49728762268890DD5171A1037C475269F58E6DE5284BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:39.614{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62748-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000055901935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A09C-618E-3742-01000000CA01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A09C-618E-3742-01000000CA01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055901924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.882{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A09C-618E-3742-01000000CA01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055901923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.852{B81B27B7-A09C-618E-3742-01000000CA01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055901922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.351{B81B27B7-A09C-618E-3642-01000000CA01}34403620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A09C-618E-3642-01000000CA01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A09C-618E-3642-01000000CA01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055901910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.179{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A09C-618E-3642-01000000CA01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055901909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.164{B81B27B7-A09C-618E-3642-01000000CA01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055901908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:00.034{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D2525A2D038629805FD666B3FF7960E3,SHA256=949F4B05A7B08C3585D195E8FA9DCA0B51E427FA4FAE281420B23B39B5A55135,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:00.307{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62506A2D765BCC2CD76AE6C89E64ABE,SHA256=9DBDCC1D9279CB36034058BFBB0B03DEF7408543F1C08869C1154F932FE72730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:00.307{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83B6F3083F4861F7E2C9A343A2F733E5,SHA256=C8F1016ACA42E9E47E5FEACAF75D6467521994BE1AD19336F2CEB7CE56C80210,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:08.476{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61354-false10.0.1.12-8000- 23542300x8000000000000000107399707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:01.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B812CF58FA8815D27E917E5EC509AF,SHA256=4BA09A3BF2CBED39EB86E9973256DADB67531D9B5549497C5C6BC5BF52050779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055901952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A09D-618E-3842-01000000CA01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055901942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A09D-618E-3842-01000000CA01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055901941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.398{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A09D-618E-3842-01000000CA01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055901940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.385{B81B27B7-A09D-618E-3842-01000000CA01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055901939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.382{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417EABDF7CADD45D6B7E3DDCEFA548FD,SHA256=500D7CE40BD56579905FADE7FF7B03F1FFBC6C9A6AD2032DD944345C071561F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.382{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2FF943B7AD1BAADB6462644BCD7197,SHA256=7A24A6D592644C0D7633D7DC15CE9F7B0E30ABE132FC3ADB3B674692443B4884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055901937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.102{B81B27B7-A09C-618E-3742-01000000CA01}4080604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107399710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:02.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BCBCDBEB68D451A6F990DE5F15D46F,SHA256=3FC61D81EFA9972CE68D520C5250111570F7B14676B3C11F2D048DA37E6B8E54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:02.398{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A41EFF26178D70B3215F0108C01F6DA7,SHA256=C0A1C964AB82FA89BA265DC6415401CDDB764BAA959366F1B97AB5BFA544215F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:02.242{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E24866178AC8F0B12B487BF0C36911,SHA256=B03C0CC558BB7D9D98F16A23FDA520115821EC45CBA95DD899655347BC42294C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:02.291{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62506A2D765BCC2CD76AE6C89E64ABE,SHA256=9DBDCC1D9279CB36034058BFBB0B03DEF7408543F1C08869C1154F932FE72730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:03.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F9A6A0217C5C34B994C3005437B3A0,SHA256=C9C4711A3ADAF2095BEE420D7DB634AAFEC3A97BC6CF6583C9C536080C207F4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:03.257{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A927A6D4269FFF443B76553370F45091,SHA256=1B8D922FBE4A80FC383E146C7D724E6CC4479D695C251F582D2033009A4A0695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:04.398{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEE6EFFBEC198F51ECE9E8123CB77B6,SHA256=71197B60E43F730303561A986723A7725CF84D3EE7F9C43715885504EB39F3A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:04.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5BEA1DE7E752689587AED8128AA0A7,SHA256=3A1C7915035ABD3064395EC9C9EDBBDBE4E9E68A51B4C0D2B22AC674DAA901DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:05.554{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F085BCC4477215C68BFA9FB60D003AB,SHA256=E306B82E36AA5D84ADCBF7665BE835881B03C2654E2C2CCE4E3408F48E8E8D28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:05.869{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:05.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C06809C5D65C1895A327A46AA6EA90,SHA256=30D3AE1EFF1757B0682178F43A79D3BBDA00FF96A89175B02B9EB2F8CA4D1A38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:05.322{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B90D48A59629574F01E91E9789635204,SHA256=7FC6F9507ACD9B3962D261A8892D8804AC8B15D1BA6517590CF39A96C9C0927D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:06.890{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=160B33F3223A60B07D8BE054732103CF,SHA256=DDB12BC5325DE37B7A3F52D5FE1781DD962A9F73A05EBEFD9CAD89676192AFD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:13.570{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61355-false10.0.1.12-8000- 23542300x8000000000000000107399716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:06.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857F3BF02E312949374EE66C9ADBCE1E,SHA256=E3DDFD1EC9DEB4D7A42C94E4A4F1B08A1A5DE7A6485CA3092BF7633599759674,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:06.583{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B97397F96F8915EE4545BF4345F6A8B,SHA256=55A7BC42E46D316222F142D9F2FC0C0670A6F35D73E67293456E8C361AB11240,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:44.760{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:07.630{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909EDF0D6F46DF0E35893A9BA42209DC,SHA256=6E5C73A089C7394C912D2E36C6146B6CFB0BCA76D0951751BEAA001F9096084B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:15.336{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61357-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107399721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:15.336{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61357-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107399720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:15.258{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61356-false10.0.1.12-8089- 23542300x8000000000000000107399719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:07.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358A2E7E643443265BB84D20A3BAC2C0,SHA256=F846052BC5479054A3B6218BBFEC7E07577EE04044B8426E745520493FD6E0BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:08.661{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0B40604DD2A89AD1C0A8B9854ECDFB,SHA256=82B87C988D65142043145DEF5E999510308C7FAD54FADB7E2A90AB00AFBD620A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:08.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD0215B5D921825F28A1C02F64F8D9E,SHA256=B6CD11250C6FE261C909A882EC6B3B7A5D7EEE988E9B6F479CF421577A9F1EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:09.677{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E565E183DB9D568979AAE00DDA760F,SHA256=5F2294BA57BB22FC777191D354245A8C29B79FF1A70919C542911FF32C9427A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:09.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986999C5006AFCAF4A9C47CF966BC260,SHA256=136C6F701FDB4741C9874C1513FCBB57A00A17C5BFB599E715EDD27B7BD47CC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:10.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0AE6A2C437514E5443F49A636C7AD4,SHA256=302E44FC3D9C729173AF7FE91FE7377514AFD25FCBD5F752302DD5832932872A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:10.708{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19AAEA88D8218618BFD558B223DF219F,SHA256=C0837CE09408BD7740B754CF709579D8AE06B2F278A766008100F6913014CDB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:11.734{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A39B132094D801B0553CB1DF1CC3A80,SHA256=86F01CA8DCBA8E87CD369B8D1AF9609817FA72C883E2B37931DA7E2F89356EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:11.740{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CF2C93B54DABA268E2EC01C2CA28EB,SHA256=8F684986350A2AE20DAE3EA4018F47D8A17183EA713A9AC77B8D738CC5B5667E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:11.124{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D937EF85A872D5C0802EB6BD9E755CA,SHA256=2156B4FCBCA146BCD1EF7EB2BEDDB900210FA5504B79C3AE270B32CA2C7F8D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:12.765{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E33CBD55D5A393AAF4B0E481900BE9,SHA256=1B195BAC40B0146A6397B7D7F2C44399676D28F4A12A53E17B61D45C8717F8EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:12.755{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACEB70E9A45EC87F30E282174CC35AB,SHA256=5AE9FB638D24DF86CF770B65CC8C0068ABB457ADAB9B6F692E6FB71CC06FAA47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:19.498{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61358-false10.0.1.12-8000- 354300x800000000000000055901965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:50.680{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107399730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:13.765{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093B9C82DCD7B03609408563281D6E79,SHA256=28F1BAB7EDC17EEC82CE39F9A920501CEC7698C6EA21EE32FE361F580B06A9C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:13.802{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2970076FBCED766091AB9E77BA60B643,SHA256=CFBD10004EB7ACAF6FCB6F56F7473E86EF48BCBCB8D90B127950CABF8336FABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:14.796{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E48BF3D620C33D615BCBF9EE4D6DD4,SHA256=552A3F500167735A67CE459D817C78840C9606F2ECC0B09D86DB09A7408CA73E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:14.818{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0505FD4EFB3999CAAFE888FADD27C8,SHA256=94F7E13C9E10A705A855B07B3A5F0F9054653E5F8F336B78D22ACFCC0B6505E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:15.890{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72DB9E81DE3345A5931EDCF4A445C96,SHA256=2A2A6B927BDEFBEAEEF7E95661DC2676F4E6AA7FE94E0C489FBF8B189855D1F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:15.849{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF67A329B626CE1A5A40E90F5F01016B,SHA256=D0CE3E4CA2C1A1879561F8019809A1CF8D3079827CEBD9A8F421C86394CDA2F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:16.906{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A92A1057BF44831B408DDC4667C604,SHA256=75614137B04988ED8AA6ADC2DB20EC3EB129FF11D92E171CCDF24BF4EE34A81C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:16.880{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62961162E9DFC0BABFEEB004A5AF4576,SHA256=84C392C8D5D4F0C3D3184364D3FFE2B087244E2792B7EFEDD2E9DD07D08C7CE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:16.343{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC402074D60ED55E34FD9689DD6B9D18,SHA256=30D669FA3E3E1A9A9180E7EDF29AAB2B46E9BE070766B6549C4238325E1A0201,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:16.343{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0848F7253F6875BEDCA583263724DD40,SHA256=86DD807E94589DE3177211D0463AA87B85DFCBA04CA61B8B9764D9F3CEFFA28C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:17.937{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F664F82AD2D14FCEEA8D439F152DD2,SHA256=7C00D85C99D9B688678844D056F3115377A66D4BBB198CCE7FFE777AD86FB9B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:17.896{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161A421F4216DFF939C4D75AF130B18F,SHA256=AEE55178E6D6C6C079CED87A1255C4A87B023A292BEF7470544EDEECEA18FF4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:24.529{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61359-false10.0.1.12-8000- 354300x800000000000000055901971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:12:55.727{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107399738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:18.937{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E73F48C4DE2366294DE4A58B7C13BCB,SHA256=89DD03BAAE3B5DC36D7CF1FA20508BF088D85D9723B850D87C5BCFEBE5DC846F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:18.911{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE037C932442239DF1C727DD38264E60,SHA256=3198069976FCD5E8CFEBE5C97877F933AEA69938A442A27C13EE514602FDE1CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:19.968{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D15B6376C0AEA02655EB94C042AA20,SHA256=C8B9CEFAC333BEB64B7FD8CEAD31F0A51515B88B4566090AD90D5FF45DBDFABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:19.943{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39BA0F42A8836903FBE33AFD86536F50,SHA256=F5575CA823CE738977F3C0AE8D5D3947763FD4E89D49196FB0C01936DF868828,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:20.968{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E91EC7AF0489E47F04BD5A7B25179FB,SHA256=82B9152E90BF4F21145C1B8750731C7793A8F3D0561C67BA9977815E2064F348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:20.974{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7077FAE6B2C83778EB3F6425AEECA76E,SHA256=CD18763B9355D40E317159CC86B2B67A7663F22501561011646046E247CB239D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:20.593{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9CFA8C90339B7F30624396DB69FEB391,SHA256=5ECF13664DE0837ABAD2D4F76FEBE8B55B548F5F270950445F33D65E1E1C2F74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:29.545{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61360-false10.0.1.12-8000- 23542300x8000000000000000107399743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:21.343{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81F91DA7604AD9DDB14ECC33AAD0C16D,SHA256=2A8D79F12642AAA78E6DE18B443AEDC0CC8625792C09A18136DE7516F4793283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:21.343{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC402074D60ED55E34FD9689DD6B9D18,SHA256=30D669FA3E3E1A9A9180E7EDF29AAB2B46E9BE070766B6549C4238325E1A0201,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:22.046{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DE4107D393DFA4EC85A10037AC415B,SHA256=89A34DDE86ECA8BD8242146F78A075B4301CEE1829D84296D974CB2524A4CC90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:22.005{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE0750C7575914E6A4B149FE3EDA317,SHA256=9743C69739D76785FC7E8D2F3A30FA0B68555958CD75C64FFCCA62A1D1F4F414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:01.649{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62752-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:23.036{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8FCC53138322698892C88951CD33F4,SHA256=D80E86908AE1D131310DAC5376C2B5E0FF19C2D1A7361CEDB780836E06F227A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:23.265{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E58FACFA8583D6A6322F960A77B050,SHA256=E80E15EB7CAAB90B0E988CAE1C2FEAB486FF7A9B2B0306F23A3B946284B12CCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:24.265{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C5E72BB8980E2171C87D2264D19311,SHA256=6FBAACC7C31C701C341E4FD41A9816FE046BC13688750E611927EB0B6F192A16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:24.552{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:24.068{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA892B2CB3DB04E9E3521C0FCBE221E,SHA256=10B616AC3A113B0EA66B9A273E98DBA897190523A6BC188EBCDC94440C5E10B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:25.499{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94FC970F2F941BB8CD31EE3F396E36A,SHA256=C8F4979D76CD148E18266549DB8FCDBA301623AE0714EDBAC3EF6AF5772AA6CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:25.099{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A4AA362F0A06BC3F59F5D449609D11,SHA256=42D7121FE8B8FDA0548685BE5C09D64A06E483B66690E8AECB030E0F2931BB24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:26.547{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6BAFD50A9A9AD0533BCBEB71566DA9,SHA256=706BDD88566EC19316D8A5700547CD91DE45D8742F1D4DBDD6456F6805EA8121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:05.086{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055901982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:26.114{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C477FF41995565F1ABDC3CD565DF2E7,SHA256=F466024F7D0D81BBFC0D788ED52D3ED9DB759E367655131716A5D1974CD44603,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:26.282{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81F91DA7604AD9DDB14ECC33AAD0C16D,SHA256=2A8D79F12642AAA78E6DE18B443AEDC0CC8625792C09A18136DE7516F4793283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:27.641{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F330542C1D2D85813531DEAA6F1C18,SHA256=EF8112784797FAA6841286E3A1BD2B648F48EE458145792D0B5D363D41CCCD8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:06.742{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:27.147{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCBFFEADEB8116A9FB1D57BBCA6F2A2,SHA256=512FAF845D887D0DF827CC1BC3525199E4B81784F81666A4D1C79AEBD94B89CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:34.654{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61361-false10.0.1.12-8000- 23542300x8000000000000000107399753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:28.641{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78CA7113B98A47DB14A8171FBE2C4F8,SHA256=B5CE10D15D31AF1B0C0A6BC920085CD9F905068A1C6AF16A7C1CC7DD6B34E36D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:28.162{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4F2F5623BFE44BEF6181919E0700F7,SHA256=57FD1368BADEBEEED2DED4AB0C37E8CA713248E1389CC64F5627231CA655C1E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:29.641{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66099602DA7C43A1599241576043AA74,SHA256=2291F351ABB1A2B633E8F8850B68188D5EFDA4870B3A6D36D707351999BAA579,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:29.194{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1D1E3D02CD49B9BCF42C234F1901A9,SHA256=3E0AB5E5504F815B65A2695E3844C8FD849601A5F168B724DCD1A45DDEA9BD48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:30.657{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF10C4710E29BC73426BA403F58D62F0,SHA256=64BCE0FA4736772A728B28195A153D996BA6967968C964E222D7B0A50655C408,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:30.209{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48D3956614FA64AF88AC2BAB6353546,SHA256=3364117418A78E7698FC78C597E59FCB1F0BD3EC1F399E8C536E5FFD2F43CC87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:31.719{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B89C34D1BBB796F890ECA2C1097742F,SHA256=D07E6F24DC3C2AB788D65AD68100F6FE52671622D253D3AAEF2392E6C48E5F3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:31.241{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D755891E0EE08AC0AB31C78E8BE0410B,SHA256=6FDB693A635D8D0F254B66183D31932D6092D3909D8123592A545A174F2FB9EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000107399762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:13:32.984{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000107399761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:13:32.984{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x8000000000000000107399760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:13:32.984{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x8000000000000000107399759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:32.721{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE7855B2C1AE061C7ABA8AF21E4AFF6,SHA256=18A341B288C61B7020F06EB2613811C5ED4EA4A349D7122C1FC4276C31556181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:32.272{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D702AB76DDDE58A456D4C5CB09ED98E,SHA256=747FD6722116A4661790C6403B4AA545D997405301F2FC0C12129165722DE531,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:32.080{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3F0AE90260801C7A71FDFD25924055E,SHA256=C11E45B5935AC1C3D1EB572857F6498768A099999801A57C2BFC3F75B4C076C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:32.080{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0448EF8740F4DF05A9E743291C2A2D4A,SHA256=E4DE6E9B472BD94C8E784F031D02D87CB0330A95FEEB63B2F7F5201EA41A700D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:33.987{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3F0AE90260801C7A71FDFD25924055E,SHA256=C11E45B5935AC1C3D1EB572857F6498768A099999801A57C2BFC3F75B4C076C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:33.734{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1C6F1614778F5DAECF377AF739974A,SHA256=160F0F84A04FECD1FB241C53CCFE72125EDB7AE1A911A196BB5E9D4CA683A3BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:12.681{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:33.303{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A717C0709BC4D61F7DB78FD91FEE6E5B,SHA256=D444F187CE10D7F349C0ACE21C3A9D08A855ED073F941B1B7082847940C20F1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:40.437{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61362-false10.0.1.12-8000- 23542300x8000000000000000107399770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:34.769{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F544D61BB0520F6E0C2A33E4A10D7F5,SHA256=A3BC88ED5C19BBC633EEC41AF94150256E5458E98F285F81C6FA8E1EE42D12D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:34.334{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91457985A47C7E1FDCD242DDA28BDFF,SHA256=FF6C868986CABD3819140BBF04098A5E987ED6A897A8C2CF6ECB3C7D76E5FC33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.405{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61364-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107399768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.405{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61364-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107399767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.390{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61363-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000107399766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.390{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61363-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x8000000000000000107399773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:35.800{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA1C2DA0AA05B7672FC62415744C627,SHA256=42A0146926E3223915D2F60FC318897B7FACACD9D7836BDC908C9D2D17DA43CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:35.350{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96D50D4030A4494BCB5A158D4BBEE5E,SHA256=CFC686D1CD751F622D587AED279C5CD69C59D55366F1A80629C850994CB3D306,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.418{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61365-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107399771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.418{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61365-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x8000000000000000107399774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:36.909{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F5BA57A592971376B3220FEF606796,SHA256=47C21FB330C30FAECADA45DA888842235CCAD2E9DF12F791DF00F6ED8091A90C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:36.397{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736571563F46C949D24EABE90B25B946,SHA256=F7E70AF89274F0321CAACB5E158A29DFE6F20107DDAC9D48FE6DF3B99EF91B04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:37.987{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C358AE74CB8473ACE9744C935DCFE4,SHA256=ABA93EAAB9EAA7FF262DBCDB27EBE9FBE8DF5D26B99817AECB72E4D6FC0CC99F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055901996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:37.428{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B81B9165AE52AAA2ED9921A9F1EC8EE,SHA256=DAB54BD6AC9901E55F489EC3954854FC170786B107AC54F40C1131A7FC7D5B98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:37.097{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29A61C959B0E68A4E83AFD829FDDFEFC,SHA256=3B624E8C9993FA3C16A4D65BA34E0E823672D9391B5D5CB43A02DA6B2529A8A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:38.987{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6591B8B5054D67BEE322BB3E31225B,SHA256=67CDDB7D7DF898985EC8E148CFFB5281C315DB13EC852892390C3AC9646D6B03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055901998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:17.712{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055901997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:38.459{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC50BA72CECC70E16D61A84709B3786F,SHA256=F8F41B507E5E878F0DFF71F2581E78ECB7019C5ECAB1DC1CB4851EF80D2D13E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:45.471{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61366-false10.0.1.12-8000- 23542300x800000000000000055901999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:39.475{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68906D02ACB3ED200311453FAD3D1243,SHA256=E746903E75E9E88640226D0C278D35F738F57855E8375C567F6A7803CA7C93C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:40.506{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405414F6B381BFCAA0835E9530F129A6,SHA256=6B6318752DF448BD13BB6BA2C6BD768F07B147C8BCBD79840116334125138987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:40.050{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA00AED31A70E143D9ED0C846CB64744,SHA256=7091400DAFDFF1B566425A83B533AC4E6333E012FEE2B3A2779B96941A781366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:41.522{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B4709E867EC45D6D9B71A48C967DD8,SHA256=08EA8A139E5843D577C92B26E3C559DB82465EC2A4E6C04E25DAB14DBA922BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:41.284{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FFDEAA40535431AD953206C87132C5,SHA256=CA785230B0262DAC4E69C93CDC6698F8C5B1B94A7A27F732703192C6462D170A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:42.553{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A362714A28C6F3AA84DABBC7B74623B9,SHA256=A625AF5A2FEF6716CD83819199DBB61306DF425212452D8712A9840D33B84AA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107399784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.595{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61367-false10.0.1.12-8000- 23542300x8000000000000000107399783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.440{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E390B0F7E5C4B73A53E8E451BA99C59A,SHA256=AE2F0B35412F913CCF26886C2B04D4ED489EEA0C33CB48C7562378BB41B1C657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.190{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2EB7E387EB032AB62D2F785FEACF658,SHA256=835AFB035D2E609C4E84C9B9F5C5379B8A91488FC19C099192E6EEB6DA2613A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:42.190{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768544A9EC68F913E7A4FA66DCFF700D,SHA256=F395EF9EEE0419C5705B61FE88E6A48483A8ABDF80543ED399FA1B0E684A6084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:43.487{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90D591B8BC829FB3F0EBADA33EC8285,SHA256=02BD8C68E6836CD011EA832283410ADA17BF39FA605E4DC2EE18292447E4375B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:43.584{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF9784084B2F30552DABE159EA4323D,SHA256=C9A3DD9931164937CC147EF62F5F8DC958A1D5873E14DFDCEA276E7B82D81D18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:44.690{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D230AA3B589C0B066F2D1E291F55C15,SHA256=DB40C5AF4D7BB7FC35DE6DAA2FE4171547E4C5FE1CA832271F4350D4EABCDB2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:44.616{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F33DC6EE0809AF39E2FC9287179057A,SHA256=3261490893EF296AEC020D2125E23771CA5CE34AF1BF84C10E4B0D8C5EB350CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:22.727{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107399787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:45.753{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B47ACAC01141402E0A624069C2E078E,SHA256=AD2568AE13F85E781610D91CE5993B9CA6F16386234C10813C7EE77948840D4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:45.662{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C798637229CC0CE60058EFDBCEFF022F,SHA256=99A8ACB738E29BB79BEDB437013AD2DA9FB1988F2BE40276CE80479B5A00008C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.755{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107399837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.755{3BF36828-A0CA-618E-D110-01000000CC01}3365640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.755{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.739{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000055902034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.979{B81B27B7-A0CA-618E-3A42-01000000CA01}13405792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.807{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A0CA-618E-3A42-01000000CA01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A0CA-618E-3A42-01000000CA01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.792{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0CA-618E-3A42-01000000CA01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.777{B81B27B7-A0CA-618E-3A42-01000000CA01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.667{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFC20A724899FB5E7DE53EFC08038F4,SHA256=E9A56350A232B56420A4E85C793522BE4C19D406830B72045948A19503B98490,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.583{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.583{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.583{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.583{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.583{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.583{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.583{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.583{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.567{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107399814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107399799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107399794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.552{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:46.537{3BF36828-A0CA-618E-D110-01000000CC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055902019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A0CA-618E-3942-01000000CA01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A0CA-618E-3942-01000000CA01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.100{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0CA-618E-3942-01000000CA01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:46.085{B81B27B7-A0CA-618E-3942-01000000CA01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:47.682{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFF9D0CC0698F729870EC5EBFBDB837,SHA256=E5D30A8CBE9BB723756166EC95F7E060BD562B2DC50136CA03E4D5AF60CD1349,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.942{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107399923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107399905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107399904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107399899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.927{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.912{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107399892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.411{3BF36828-A0CB-618E-D210-01000000CC01}3160936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.411{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.411{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107399889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.302{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5436E40BBB572A6EA99C527BC6FD93EB,SHA256=CC284173BDC74861CA2CC27CED6B920A37A75B695F08E81EBFB51111502AC552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107399888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.302{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2EB7E387EB032AB62D2F785FEACF658,SHA256=835AFB035D2E609C4E84C9B9F5C5379B8A91488FC19C099192E6EEB6DA2613A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.255{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107399878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107399863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107399851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107399846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.239{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.224{3BF36828-A0CB-618E-D210-01000000CC01}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107399839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:47.036{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EADB5D03703125668E0C14AF64EB1F,SHA256=CA49EE5F8EEA5F2DA9D509A3DACC3FB91DA5DA5311D3A2C94A9AB65F14B05A58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:47.088{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66BB0464411DED040E40FE278E2A8446,SHA256=3E6B8A28C5F62C4A87522078B90894F8505E95542A2379B48B817B4B7AFEC71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:47.088{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCAC6A58B10F3BC66EE0C1739BCEB925,SHA256=A0444FDBBBCB4FFC9B9ED546922691A6FF94B8DDEAABD36EA59CC4940BDB376D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.942{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80152F85222641C6C515602E6929B8F,SHA256=CDFEBF0CA4C9ECCC7AF5236BF65A6175DF9CD337B94B1B7F8CD79BEFC825FD25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:48.729{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F9CF8735E9BBE630CC56614AC0BF41,SHA256=0A4598914D64EFE41954D0661B44582E141C73258B36F12CE9276FDF120EF283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.833{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1CAD1E64AC3903DF41F583D68FF800BB,SHA256=F5370EBCE58D4296C3AB5B83092045A067AABEBBD4CEF89DB6478D3177206FE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.833{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AFFB0B173831E1C82FF39EFD3134684E,SHA256=6426E3727DDDEE828939B9FDE4C607309CBFB0D00AB98B48708F0E132E4A5A36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.786{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107399998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.786{3BF36828-A0CC-618E-D410-01000000CC01}56125952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.786{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.786{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000107399995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:56.457{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61368-false10.0.1.12-8000- 23542300x8000000000000000107399994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.677{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C3A768967EC6568FB176C49DCAA197,SHA256=BE920E690ABE1E44546F6D0730C63DA479778913B0B8EC5267D1C7B7E2E1E731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.630{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107399992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.630{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107399991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.630{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107399990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.630{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107399989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.630{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107399988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.630{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107399987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.630{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107399986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.630{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107399985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107399984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107399983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107399982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107399981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107399980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107399979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107399978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107399977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107399976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107399975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107399974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107399973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107399972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107399971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107399970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107399969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107399968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107399967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107399966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107399965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107399964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107399963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107399962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107399961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107399960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107399959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107399958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107399957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107399955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107399954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107399953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107399951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107399950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107399948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107399947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.614{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107399946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.599{3BF36828-A0CC-618E-D410-01000000CC01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107399945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.427{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5436E40BBB572A6EA99C527BC6FD93EB,SHA256=CC284173BDC74861CA2CC27CED6B920A37A75B695F08E81EBFB51111502AC552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107399944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.161{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107399943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.161{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107399942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.161{3BF36828-A0CB-618E-D310-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107399941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:48.020{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9006128619D98EE981AA96EF033C714B,SHA256=643E2B51AC8213310441A8591B9A2B0C50F67A09C68AD411BB0C54D45049F8A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:49.760{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A16AC2635AEDA99B4110B59791E9111,SHA256=86206E542CBE1C9085DC35BCA6639575F3A51AB87E9B74E5D20C4FAF8CDEF152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107400069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107400066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107400061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.974{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107400054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.645{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5EB3C91FE57B0EBD60E50C3BDFE363,SHA256=FCA6B45AE1B9005A644840BE159037AFCFC46ABDFC1CF9B1A3536840777656E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.489{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107400052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.489{3BF36828-A0CD-618E-D510-01000000CC01}5040984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.489{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.489{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107400049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.317{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.317{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.317{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.317{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.317{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.317{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.317{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.317{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107400014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107400009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.302{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.287{3BF36828-A0CD-618E-D510-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055902039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:27.794{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:50.792{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F7A70637DF8F621D6337114D5BE5A2,SHA256=A4495F2267F819A1AAD221E057A1988BEF211C3F1537FF8A283D516492088A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.973{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA3BA8D7D64F9C640B4F47176A95BB9,SHA256=2976EE203EC514D237F100C0AD7B610761C6392DF8A9C7F0B1C873FCC5CCCF4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.911{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107400166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.911{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 10341000x8000000000000000107400165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.802{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.911{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000107400163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.802{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.802{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.802{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.802{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107400159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.708{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927CF4785E59E28B173920D141578E05,SHA256=82DD9238382C85150F5B4E7213277F73A7FE65E7BA58DD8F273DA63A85398A97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.692{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.692{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.692{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.692{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.692{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.692{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.692{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107400144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107400126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107400122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107400117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.677{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.662{3BF36828-A0CE-618E-D710-01000000CC01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107400110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.177{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107400109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.177{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.177{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107400107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.083{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C382637EB7F23545C84414C0F8A777,SHA256=6BFC4034C8A31FECE252F3980B10EAD45215C39A1CAEEDB2DD070294E0D2701D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:50.005{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107400097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107400089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107400073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107400072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107400071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:49.989{3BF36828-A0CD-618E-D610-01000000CC01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 23542300x800000000000000055902042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:51.823{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3481C654B367A7040FF115BA54921E,SHA256=9B61A42D427598CFA966C48D9162BFDA8271279915F9B4ECEBA4DE7FE4334D51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:51.161{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592BC7580A5B76D86CE5965F41732F8B,SHA256=A01136BC9B5E752B7D1E5000D9BFE2F3E23EB9AD8A902961F8369D64A4855226,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:52.854{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D197C0908F27833A51E5E644814638,SHA256=65BC8179A771146C7E3F9AFE1988FA312A402D07C17B55A3704F1A5F42B214C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:52.223{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BE29547591BD33254788535B5C0FCD,SHA256=F507B323596645E724FD7AAD936FB3A2D4E1A8D504A095162B03068627F714C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:53.870{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E1CCD1B3B485AAFC54E44387709768,SHA256=213A1BC1832A9B64DA4B6003D31116E289B83DB5327E150C4C12FFE686E84730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:01.613{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61369-false10.0.1.12-8000- 23542300x8000000000000000107400172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:53.473{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182F23AC2D79BFA5966365A98BB03AB8,SHA256=8D66FDFE2D386D1EAF0D042FB567EF07FFC38DE684297A5A3CE304B4EA25CF89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:53.208{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B4AA5ACDB1AD37AF0F9C0F1158416A,SHA256=99915ABF632E585D340A1B03B75C2880C696E00DDC6B06B2F8A66810087C996A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:54.917{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A542F76357071A5769EE5C86BE3725A7,SHA256=07F38C72BDC68A23163006BD88655DE5E1849A841DB473A8671C47764AA453AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:54.505{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF5073FA275C3A8AD333A7019DA7069,SHA256=2924EBF9D7E8C7642A0861A0AF1C7A308962FC61F854498401E8AA52C4630351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:55.948{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E168DAB1B471C4DD6666A7EF72F5148,SHA256=4EFC814BB702D05F4EF4B6615325212D0681360C593F25269F8D2F28A899367A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:55.552{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE34DCEAEFE01FA03D261E8E10F69307,SHA256=C493AB21F98C7B7F57F8B1DD4E4F3A14ABA342D94E9644AE305AAD0A5994D547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:33.559{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62759-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107400176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:56.770{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051BCBF06090713AA738A63F08FDC22D,SHA256=A79BFFD7AAE14A706610F4F2D4F8935B3BF18D6C1EB2B64682AB4B9B6991EF1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.963{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9A65DA9C98D2185CE5D61EA165FE52,SHA256=E062C455F5745D45A16C346A7814A2BF452F94192D9DD9D22F9859A00F25F065,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A0D4-618E-3B42-01000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A0D4-618E-3B42-01000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.417{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0D4-618E-3B42-01000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:56.402{B81B27B7-A0D4-618E-3B42-01000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107400177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:57.770{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D1164F5239447055D15CA027EB7371,SHA256=33935EACDA4829243D33E7213EB343E120D5FC4ADBC1AD8ABB0BB567D63D1EE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.432{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177ECCF2372840DE6ADC8F121E3B6963,SHA256=CF1AACF1C3B1FD627014200C7A5343B87370E671531C9A147A3A0357D324134B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.432{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66BB0464411DED040E40FE278E2A8446,SHA256=3E6B8A28C5F62C4A87522078B90894F8505E95542A2379B48B817B4B7AFEC71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.198{B81B27B7-A0D5-618E-3C42-01000000CA01}33321472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A0D5-618E-3C42-01000000CA01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A0D5-618E-3C42-01000000CA01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.042{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0D5-618E-3C42-01000000CA01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.028{B81B27B7-A0D5-618E-3C42-01000000CA01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107400178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:58.770{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2F2DBBA68AB3516B7E233DF2607617,SHA256=D8E2DE62B69D9A372AC5FB66C5EC861AC2F8EB5A7920DC69D462A449B520761E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:57.995{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE771A6CA583B85413F37A52F6A490F,SHA256=D6AACDD7CDD3C6015832665AE3A86AFC233FED7B7D9D42BE35612F1D6502D162,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:59.786{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227A26FEE1DEA76C6C086F5CCCCC9A46,SHA256=36E51FEF692843C2C56FEA0EB41296CCF66068DF05B444F22936657F0915D1E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:38.715{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62760-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:59.026{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A537EFDB2F866B652FDA0E4458610F2D,SHA256=0054504BF00F62FBCBD13B39C53F136FEE845E2E0CBF54FE65554434A59762E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:59.286{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0944A6EA65F56E3A6FB81C50FC2AC5E2,SHA256=98E96B78DD16CDD839068277F837BFA0DC02F3A4053AA25B450FD4E36A5F53B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:13:59.286{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64EF4937BE7B2247054F408713714310,SHA256=DBEAB7F250378C04A8F12808064BB547647762377A7AD64AA47F4B78947C9F74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:00.786{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8ECFA0F4D57C97B8E0DF6D84BED1B0,SHA256=D2139DE050CF4FD141F75AC3E55AF57ED6F04BABA605932A018AEDA4F5FD33F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A0D8-618E-3E42-01000000CA01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A0D8-618E-3E42-01000000CA01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.900{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0D8-618E-3E42-01000000CA01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.885{B81B27B7-A0D8-618E-3E42-01000000CA01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055902096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.431{B81B27B7-A0D8-618E-3D42-01000000CA01}55886124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.212{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A0D8-618E-3D42-01000000CA01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.212{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.212{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.212{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.212{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.197{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.197{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.197{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.197{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A0D8-618E-3D42-01000000CA01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.197{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.197{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.197{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0D8-618E-3D42-01000000CA01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.182{B81B27B7-A0D8-618E-3D42-01000000CA01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.043{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4986946B81417C4D42DB2D9CD9E7F75D,SHA256=CF228A3C4619F8D6F0BE8C2981E4836C5EB3B74429A1B288CAFF1E9472D537B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:00.043{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=516940B7EF84451BC6C73B4D32115E97,SHA256=3785C9E30B1FA19429C7A4D316BF0E4F436A30CFED214FDC2FB193604393CF9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:07.644{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61370-false10.0.1.12-8000- 10341000x8000000000000000107400183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:00.598{3BF36828-9799-6185-1600-00000000CC01}12726124C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:00.598{3BF36828-9799-6185-1600-00000000CC01}12726124C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107400186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:01.786{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5C6C28C6A0302C1EBEB2266569240A,SHA256=2DF5826FA62CD6B8D6CCC1A1096010B58D26556E29B7BC5C4045CE17555F663A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A0D9-618E-3F42-01000000CA01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A0D9-618E-3F42-01000000CA01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.435{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0D9-618E-3F42-01000000CA01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.410{B81B27B7-A0D9-618E-3F42-01000000CA01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.404{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177ECCF2372840DE6ADC8F121E3B6963,SHA256=CF1AACF1C3B1FD627014200C7A5343B87370E671531C9A147A3A0357D324134B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.404{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D073EF9748A07C5B9BBB936A5148EDA,SHA256=39F1D492C3E3349ED00A44B0050D906D64B15AED787EDA60E6809A6A2B469E97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.123{B81B27B7-A0D8-618E-3E42-01000000CA01}56965008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107400188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:02.786{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F3BE72CB68BE172B1E40CDF6E20674,SHA256=20C9DEFDB1F269D952AFF91952908C054CC43DBB4A6143C8F047EE81349FE67B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:02.420{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=544B19165F0903F016F7E05F02BB9562,SHA256=1B3B10EA3D070795D448267AC62031393218B8146D0434A78AC006C6A2814767,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:02.248{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31190F83DAB77E694A38E251D8B3094D,SHA256=8333018D904C2ADAB16663DF79FD6F5F4C6F30CC518E5FED6292B14B64D3472B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:02.286{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0944A6EA65F56E3A6FB81C50FC2AC5E2,SHA256=98E96B78DD16CDD839068277F837BFA0DC02F3A4053AA25B450FD4E36A5F53B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.786{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5DCDD477839D93F7EC32A3E5022A2C,SHA256=CC558E3B6CEC721710FDEEB8AC8D8EFBCDB5D9B8A5A82DB20A4586213C475828,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:03.467{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0C25E3725A18AA9B92A1A16855A354,SHA256=09B67BEF6F28891755C5230495FC250355D6ABDA782EFAB1A6442A26B1DF45A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107400214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:03.630{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:04.513{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6FC18E61B3A3D20581B3D81F8F85354,SHA256=897DD8EB144BB680482E7444B4F12D035D36CCD2D75F4015D0031235303C16D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:04.786{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E7D8C8FDAA47086C6C6AF5E7E7BD45,SHA256=B890FF54110F7FF7273EAFB2464859490289E05211D6BB321B09E5CA96CCA0EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:05.685{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2431D42F128E4F8FD740CA0ACD37582D,SHA256=F093C896E35FD4ACEB2B67D2D91D841C194123C1FE8FC4ED1F44F2CEBEF7A05E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:05.895{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:05.786{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EDF2504DFE1993EFDBB24125878A2F,SHA256=A442EBCBDB27A2305865413474F7BD389C41566C3422D191A305A90662E1D724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:44.640{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62761-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107400217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:05.208{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91E2FA89B9031AC739D93755AD843E0C,SHA256=5C70A37CBC087309D69B50E8240BF96494A40903C012BEB607608AD5ECD59601,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:06.692{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1309DCEA64A42FA4A2ACE3BAAB23CBB4,SHA256=14AD0BCFCA057EDC0AB48DAB0DE75A1098EE0BA4BE2899C8D1D218D80ED38018,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.348{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61373-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107400226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.348{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61373-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107400225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.285{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61372-false10.0.1.12-8089- 23542300x8000000000000000107400224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:06.936{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65C72FC44A073E8431018266CC2163A8,SHA256=2F0BA05E3AE26ADAF202118E2FEF6BF66C655C92270E26DA81423228D92AC403,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:06.795{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90216B9CE8BF9989EDC7D01CC25DE8E,SHA256=D85B008996AF0F93D5A47004AE9E6C05E6D590763E1C8F8C750CAB33CE6BC0FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:13.582{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61371-false10.0.1.12-8000- 10341000x8000000000000000107400221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:06.405{3BF36828-9797-6185-0B00-00000000CC01}6361248C:\Windows\system32\lsass.exe{3BF36828-9792-6185-0100-00000000CC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000107400220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:06.239{3BF36828-9797-6185-0B00-00000000CC01}6365728C:\Windows\system32\lsass.exe{3BF36828-9792-6185-0100-00000000CC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000107400236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:07.795{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613D77AD16454478F9ED427EA04A7FCB,SHA256=1B92BE66E1E0B89B17437EE7642D895BFBCF941A108B02C3F82652A3D18D47BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:07.723{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9A38F5D40CE65EA830396D0E574EC0,SHA256=06C3B90EAA6274AEDB81EE2F93559E49D3B75CE171651F63E555F67724F26B20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.811{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61377-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107400234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.811{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61377-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107400233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.649{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61376-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107400232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.649{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61376-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107400231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.547{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local61375-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000107400230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.547{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61375-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000107400229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.538{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61374-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107400228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.538{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61374-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000055902134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:08.739{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E666A39E3EF56FBBEB121EF6DE1993,SHA256=7040A32828B6EEB348104093E8CABB9060B5ADD6E95045CEAF578DD152FA28CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:08.795{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFB04992CE1C129C5DC10960C989520,SHA256=35ED9816853211526A969AEDA07556671E9F9A37F13698CC3169BE189EBEF198,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:09.770{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3048649E85DA261AA0B23A6C3A9A48,SHA256=38B552ECDCA4D254F59503961A8BC6108F17357403AD533DFB263E1131FE1111,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:09.795{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CA5588C2D6E34CF3008B021598859D,SHA256=87A8054130328D984182739DD8462D83F2879EB8278EE112988DCBE2C6674B51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:10.817{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6550DCC12AB13F0555A9B9C470DF1922,SHA256=CFF393C26014757DBBC2BCDE1BB2EDBC2428DE302961929D7BA05B56149CD1EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:10.795{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BE506687AF1C6971D9821059F0F914,SHA256=6C7471B87DE0D727D7D97560E187DEEB5D18799EF0C4FD97E4D1B101FF329A45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:49.771{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62762-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x8000000000000000107400250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000107400249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000107400248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000107400247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\LeaseTerminatesTimeDWORD (0x618eaef2) 13241300x8000000000000000107400246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\T2DWORD (0x618ead30) 13241300x8000000000000000107400245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\T1DWORD (0x618ea7ea) 13241300x8000000000000000107400244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\LeaseObtainedTimeDWORD (0x618ea0e2) 13241300x8000000000000000107400243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\LeaseDWORD (0x00000e10) 13241300x8000000000000000107400242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpServer10.0.1.1 13241300x8000000000000000107400241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000107400240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpIPAddress10.0.1.14 13241300x8000000000000000107400239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:10.108{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000055902138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:11.832{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC691E1FE65BC70DB52964A1467F1362,SHA256=4312F446FD63ED7CB07BE1329A15E54B905E8B3EE27986AA570B854AE230115A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:19.518{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:8ddb:ffff:b8d1:e3de:48e:ffff-61868-truee000:fc:1800:0:0:0:4000:0-5355llmnr 354300x8000000000000000107400256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:19.518{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61868-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000107400255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:19.513{3BF36828-9799-6185-1100-00000000CC01}424C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-128.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 354300x8000000000000000107400254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:19.482{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61378-false10.0.1.12-8000- 23542300x8000000000000000107400253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:11.795{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1338E1E726E760578FC5B6BDAAA03C5,SHA256=716AE14A6237177A9CFE51B6030273C979CC3D5A4EDB2C38C2EFABD19ADD8CA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:11.108{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FDEEB03EC52D7BC2284EB9E4F555E97,SHA256=6A4E14058DB5DF4DC569629BC39C102387E29A8BB31A0B497B2103BE4537D474,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:12.864{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D7178EEC058BEF9A15DBA267C8B67B,SHA256=28DC1FAA8D3547E27E1F7912E12E5E41A648DB81056BB34D41C0AF96B68767D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:12.795{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8379255ECA51FFD8C6B8797496C5B5,SHA256=0BF6A75D5ADA675D16B8708B54730D683A697BBFEF0CEC7D908080BCCC4F91F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:12.186{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163991BEC97004338531B30661D0F596,SHA256=8FC8DF0E174C3A2D8B3B273F642F9226E703C45725E6B2EE2CF5CC2806E4E71F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000107400271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000107400270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000107400269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000107400268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\FlagsDWORD (0x00000002) 13241300x8000000000000000107400267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\TtlDWORD (0x000004b0) 13241300x8000000000000000107400266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\SentPriUpdateToIpBinary Data 13241300x8000000000000000107400265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\SentUpdateToIpBinary Data 13241300x8000000000000000107400264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\DnsServersBinary Data 13241300x8000000000000000107400263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\HostAddrsBinary Data 13241300x8000000000000000107400262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\PrimaryDomainNameattackrange.local 13241300x8000000000000000107400261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\AdapterDomainName(Empty) 13241300x8000000000000000107400260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\Hostnamewin-dc-128 10341000x8000000000000000107400259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:12.139{3BF36828-9797-6185-0B00-00000000CC01}6361248C:\Windows\system32\lsass.exe{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000107400258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:12.139{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000055902140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:13.895{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCCDBDB978B68FDF91BF5736B8B4DCB,SHA256=E452FA508056D65D592ADFC5BC9099628FC8866A0D90FC1733CAB8B27C4BBF74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.560{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local50294- 354300x8000000000000000107400288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.560{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local58948-false10.0.1.14win-dc-128.attackrange.local53domain 354300x8000000000000000107400287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.560{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:8ddb:ffff:b8d1:e3de:48e:ffff-58948-truea00:10e:0:0:0:0:0:0win-dc-128.attackrange.local53domain 354300x8000000000000000107400286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.559{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local51257- 354300x8000000000000000107400285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.559{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59189- 354300x8000000000000000107400284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.559{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59189-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 354300x8000000000000000107400283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.554{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61390-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107400282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.553{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61390-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107400281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.552{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local52371- 354300x8000000000000000107400280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.551{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local61389-false10.0.1.14win-dc-128.attackrange.local53domain 354300x8000000000000000107400279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.551{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local61389-false10.0.1.14win-dc-128.attackrange.local53domain 354300x8000000000000000107400278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.549{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local59571- 354300x8000000000000000107400277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.549{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-128.attackrange.local59571-false10.0.1.14win-dc-128.attackrange.local53domain 354300x8000000000000000107400276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.548{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local55176- 23542300x8000000000000000107400275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:13.796{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B366279F43C1A0521115321F6D328FD6,SHA256=34077E4143726370719D44D8298DB1128B529368AE6D01854AC567676EB82532,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:13.186{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D4506945DABF2BFB6F9EB3525D46A0A,SHA256=CE4651CB273D43A4A489AC18FB7563FFD061B63A870B82C7D9A71D1850ACE2BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:14.926{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CC0C324755E47C254EB21754A473C9,SHA256=2CC1C51FF62708CD895D98B5FD8781C5D0C15781B9773606E51C566E00F3579C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:14.812{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8933025F845ED51865C83AEF8BCD3085,SHA256=A3A13DE0FB334303DB8353D44FF82A642B4BE6E43B325D07948B5110D27C66C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:15.973{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AC5DCE9C3267446CA19E2BFA6D3C01,SHA256=D945DFDEC2386F5E52BB928B0079906A9F08219A5D206F923BEABE323593576E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:15.827{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA23C5BA31F93C2319199BFDC86E659C,SHA256=1D2CF1BE9015D07DE8D2DD4C1EC83A05C5E4E2A9C7B059BBD548457DEB81C64C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:16.989{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D6F50ADEB77D3070DDB78ACEBF9817,SHA256=4A9E5F4BE3F36710DD710459FAF1DCB8485045235BFFA30121DA007DAE28ADE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000107400304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000107400303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x234ca307) 13241300x8000000000000000107400302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7e0-0x578d0d05) 13241300x8000000000000000107400301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7e8-0xb9517505) 13241300x8000000000000000107400300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7f1-0x1b15dd05) 13241300x8000000000000000107400299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000107400298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x234ca307) 13241300x8000000000000000107400297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7e0-0x578d0d05) 13241300x8000000000000000107400296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7e8-0xb9517505) 13241300x8000000000000000107400295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:14:16.905{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7f1-0x1b15dd05) 354300x8000000000000000107400294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:24.561{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61391-false10.0.1.12-8000- 23542300x8000000000000000107400293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:16.827{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A48E3A7889E60F4E7DBC16989A3C54,SHA256=E2C73653A4B026A28BBEE2C9974CCFA81DF8E144D446C5D12AC6A3E3B39C6657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:13:55.709{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62763-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107400292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:16.186{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F78F3B394245FC30B308C42C23348BC0,SHA256=86B09885D14380A27A28C519004ED2E8C88C36A3C888B713BC7BCCD898E46A32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:17.827{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617CD5CCBDC532CF6411CFFE6648DD35,SHA256=ED3821798814E6038B160B05BEDCF033F25AF5E98ECB3817E141C121985CB85B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:18.828{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3513A6CA128FE95595A6B2526E39E48E,SHA256=91847E8E36BFCE60E39BA96A2C4320E5EEA606C7DF8A78CAEE26B4848CF4E573,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:18.036{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848841321A9E68849ACED600F486BBC4,SHA256=45402D515F903C3B1135FED31F7AECDFDD0225EBAC2CC83262602252DAA347A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:18.186{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=419E5B40376DC246315016A6E123E87F,SHA256=70F46B70B3EC52D03A8BC619B67ACDED0F8A1C54FF33C2E04A080B3947D5428E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:19.828{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690EDF997C43771B567ACFF36064BE7A,SHA256=721B163258FCBE14771F40785F94D32461F896554FE32D17F4CA80BEDE235FB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:19.051{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7993BF1AF4A0E33FB37BA436E8A52B2D,SHA256=D31349BCC5B114BD15DA25A816BF74F53F25623AB26F182CD6FC72A5F3752CC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:20.828{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1578BEDF05749AC2724D905111C44897,SHA256=BA32BBC26E401D78DBB244BD15D75B45D85EC5F21E80519C2698BE4909DEEF90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.286{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:20.082{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7577FD29E64565BEC63BC491B6D02C51,SHA256=98D612AE61738E92829E84144816FDDF3DDAF596FC9596BD2DB827662A7A09F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:20.594{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=53C414FA5743D8149E77D15C4824673C,SHA256=05179890445D78910C84D5BD07A640C1CDA62155F5EB04C86007C134A78C2F38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:21.520{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25ABBAEDEB18313F29DDB9B06257CDE4,SHA256=78D8BF39E250885DEC4AAD34D1ABCC120EC50E8ACA97120D68EE7A12D262B872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.828{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15485DBE7EFC73207E386BADF1C65D0,SHA256=EC33991F54075BF814EA2D43F9A755E030185891F891DDA9CFB9F5401993A013,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:21.187{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57E9DC123CCA99F799BFCAEC7D5F7DDC,SHA256=6A47B2FC2813A92F9ABDBDB2DD8F09AE26B4544762EA44365F87F6BC3682BF6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:29.577{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61392-false10.0.1.12-8000- 23542300x8000000000000000107400314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:22.844{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F164C43BA3894D8A8644237AF73A0842,SHA256=CB82C526742EB954A8EA9B9F65454A93F6C4F23AFC7FCD1178617FED4ABE5BBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:22.754{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EF0DF6357A1BE0B506460C17DC8CFC,SHA256=F73D05634C3204D2969FECB04581A5DA8B5F47CC3C48AF20A9F41204C652C22C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:22.297{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2F6617E11A80BB562360DC40AA35714,SHA256=DD32CBC3F90EE92410A4029B04647A6EC63EA07A31D192D27A2692A7409E9FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:23.770{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0758E00FD72542990D07238E5C27AF8,SHA256=316EE630BFBBBC22B9991ECF8DD9ADE815D4EFA8BF7A2899A3C6CB28AF903A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:23.844{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5116BD1752421C49614364136BAC1B1,SHA256=118B979A5B7F6C8FDC828E7D0B5CA60FD7F0CDEB783FA826562A256B3FF13AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:01.646{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62764-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:24.817{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92605A300C37F6B0CE0C0367D9E194B8,SHA256=F7FB45C7B5C77CC755FF06C1F241027B5100512745616CBA8F3EF3C497279BC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:24.844{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FF75F7D1A792A703AB12EC096129C1,SHA256=79532A507E6F213F59870478E6EE232506E5012621003EA98399A7CEA10282D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:24.582{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:25.875{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E86F2BF3F49AC945A89D2ACED1354F8,SHA256=7961FF180AAC34BB089F991FA2963483D532C43F0C8E59F3277DFA9C13D452E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:26.914{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F624DD3CCD6E0D58D8916E55A251EC76,SHA256=E366D1F5A94417A5E5B5AC2FAF5B57CED3E008327B13EDE3F2F53BF63E37B83D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:05.115{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62765-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055902183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:26.035{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D258AB72C786B652DE22000F553802B6,SHA256=D708AFC7F5683784AFFCEBE1650976F088BAA41DCA2F5AF9DAB7F514D2EA609B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:26.203{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C710DA9B33E4D7960DE125A36F13379A,SHA256=9823C33A08107BEA7B82DA98AAF9F682537C113F01A89934A5C8C0F76AE32225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:27.914{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629BE87B7565B08A44E6290C129D2766,SHA256=C2DE9835AA4C7636B9B2A31DAA2A5C057ED86DCFD3C0CFF274923C27E12D2ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:27.248{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10A96D366196AC391655FF14333429C,SHA256=D142CFA6B01AB357AB03213C1D99EA833159FFED3C2962CDA3EAD6DC4AA887BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:27.320{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48993857764DCF4583C2D5D58CE44E60,SHA256=BA0F14F549203C680841E4D77920D1745D55E957BFCFAB50C2A4624207F7CA8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:28.961{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEA4154FD8680FFB9D1A922C605DD1F,SHA256=66706B5BF23E0BD22AB074C1D9AE3898D210C6BB7D0B59C8A9B951436035C53B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:06.711{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62766-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:28.263{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E345E87CF4DD1CB9B41E15F67EC20D8,SHA256=285ABD951B44C550D1725B00E7210044CFF6EA29975A5C55E05B8A7A8C6420C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:34.593{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61393-false10.0.1.12-8000- 23542300x8000000000000000107400325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:29.976{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581EB522568CF38C35A4E3618A123FC1,SHA256=6C4F7A4ADA5A9BCCEC69ACB17D47C6CC92DCA9B044C22C91E004928B694C0F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:29.296{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A033B5098FCE0848B994146FE4B0F8F7,SHA256=64BD54DEA995535BC37F5EC669A4DC708E0D65CBAC49358EA64BC1B804E095C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:30.992{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3557C6BEE406FE266EB4185B6348897,SHA256=A4A2480B8C8C035D9990055AE3DAF04B52917EC606908A4A53298CA881D68AA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:30.328{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9620EE8399E22441A06ADBDE39BE2DA7,SHA256=FC1ED24D6FBA7940DD165D5F74C92FADFFA4C422882572C867AB5A7F88F142BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:31.343{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A59E80816AA2C416A5553CFC0226B67,SHA256=3055A85FC79D2A8235134519073637C657DEC0602D734E78848C88D23B64CD43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:32.374{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1787576CB3A7961B459C7B9FBDA1F1DB,SHA256=80C9ECA5E69AEB5901FEC9D0F8AEC0B642BE5C1067643670BBD3DD61C880E822,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:32.148{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB1517270BDC14B913B6B5A0A539A340,SHA256=D0839E3231DE9A95B62841823C68D7C7CFB30E753C1844B2C48E55F54F650F9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:32.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648600F0C473F01E967AAE73425EE0FC,SHA256=1DB61291EEB209217CD6B01EEF43F1153517478DC3EC2A59F7CC450872AA4314,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:33.421{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F12DE07A1C308F0A94A95FFC7815C89,SHA256=B2C7709F53959D426F4548770E9393C2EE5BCAA3E47088517D2D653688084B24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:33.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2A565C8659C42D22C4CB826EA0BCD4,SHA256=61AE34422A05425A70C0514D54043D29576955AB5C1D34FA59B0AB9045AD637E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:11.797{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62767-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:34.452{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF18058E5AFBF0B649A518F6F238947D,SHA256=F78EC3F4A32B10159FEA54268ECD06B61307F6DCED3FA08C3B2D730F6555A12B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:40.492{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61394-false10.0.1.12-8000- 23542300x8000000000000000107400330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:34.113{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2570B8C8DC60552A637A7E8CBF8DBE,SHA256=401E56B61FEFB8CE49DD05E812470BEB808513FF6F46D4B2BBDF52A551E5270E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:35.483{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA3EA68EC401EC6EAF50F5A715C4D89,SHA256=932545E714CA34E5D517BC439781A3B887E65826E1F8E93DB341DBE3D0986C78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:35.352{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CF4CE4760B8C20F9990CCD5F886ACB,SHA256=85B9A9D2009CEC108F8A36A08D292A650597E597CC618D8A9E3750A8E2BDC14C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:36.515{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E4A60D2FE4BAA94453BE57323221CE,SHA256=7D431AEA4E5D355257F610B5E8AE0874F4B6E347FC556AA1629E255BFCDAD5A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:36.352{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8BC3D26098DDB1AC71D32BA227E8DA,SHA256=937B54C30675766BC6828489A823C4E1C8DF994A8F6CC8C0C8AF34B0A394C181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:37.415{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5000FD3AB5440A3396271387A635A60,SHA256=02B3B9EAA4F449454855D5635D971FBCFBB50A9A6EC6E814E2FFA748B8677892,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:37.546{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEF603D14D79532A346AC7CB7978622,SHA256=1E16360D97D7CCA31CF22473D73CEC7DEC1B1AB07C2CA1F12355DC09818A72A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:37.133{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9476D0412AEE2BD9C14243645982BFC0,SHA256=43B042A07D92073531BE89FB2C95721C6D3BBD63CB7E1CB65E150CF6496CF694,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:17.797{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62768-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:38.562{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93ADF7B7BC920DB327B9A2EA1B07B787,SHA256=27EEEB83D49D7834C1A8081FA0618614E0F5A10BC8F155E7EC95C459DDEDD94B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:38.633{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9627871332C29DB39D95D0FEE3121142,SHA256=4AB17ACFE292A6B41A79BB415313A97DB120E8C695D7B0EA8AADB5461A9B1482,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:45.539{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61395-false10.0.1.12-8000- 23542300x800000000000000055902200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:39.593{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFAF83E019F09622221901ADDCA424CA,SHA256=2E6BC8FBD71D78C859295DAD586323B1778138DAE2A1F3DBB0CA5412E8F98C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:39.633{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910BFDBE1F6EC8D1BA77113E61B5FFE7,SHA256=844754CE5907F068C62C411B359F2D4DC5BCA8B4E00DE6A567EB1D1C7C840F99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:40.608{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226211D269F5B7C79780FBD8E2A22CF4,SHA256=AEA21F3FFA9727C8DEFCB1AF223AE3EA791B1F4A7E9AAD98FA4D76F3F0981829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:40.649{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38E51537E6F4803698560DFC0AC825A,SHA256=8DA459BC5C409A83F06A7209D5CA5B705CD926E7BC53DDA93966C50C69882796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:41.649{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3C91897671ACB300F3761FEBC5339F,SHA256=01033C2F694112A4B6018F47E5EFE0F54C82E824D9A29748FA0B06B76699B9CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:41.640{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2ACC645EBCCEE4B8947145943A2BD89,SHA256=8C1D6701744CB67FB78D37C50BF170B5CA5FFEA636AF07A3AE89475BF8AF5DAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:42.665{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574D25561592C9A2F1C6293441F83F73,SHA256=18D1A0B14454D4857524078E9A6958C34A39ED2E29D0C3638B1D4A1793C4D325,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:42.655{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD40B8BB1C6F1094327A9F5957EAE64,SHA256=F9D68A0D7CDD8625D7AAE080F963AC803E9D037AA18B750C999FEE136FF6EA22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:42.180{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B79AED2C3782B450F2D045DA4FC7F90,SHA256=1DDE75A147D9704920EDFCC5CC6A3A4DD6B30AAA0D5D795B9808666B70E7D1FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:42.180{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59C17A96B94E3CCC1C1C5062D092171C,SHA256=7E593A4463A90E3D4B646D0B63F40453A35905467D07C9631C4EA36F058F3BE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:43.790{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2509470A0152A257FFBD0D04A76A832D,SHA256=3109E218EA71A9EAEDEE6EE8BE38C0CE9475E97E1F3CB14E3ED32C4845C3EC9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:43.671{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6E27E0C3937C89943E1783B4AABC17,SHA256=5B6EE94E8527D6D0EBBD3F343D3A557D6E91A373CAF76D63A5CFD29E48D2815F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.587{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61396-false10.0.1.12-8000- 23542300x8000000000000000107400346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:44.805{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B12F8234AAAC2DFE8159C0B144A925,SHA256=407EE979219009245F23775851392EDE26958C02E8C177E0888BA3E7989DA288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:23.718{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62769-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:44.718{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624309C742400BE9167F5E50FBB5DF05,SHA256=E94EB9FBD3FA4C6BD1031F7B808CDE6429E457F213BBB1CD0B19913D0B5D0549,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:45.993{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B79AED2C3782B450F2D045DA4FC7F90,SHA256=1DDE75A147D9704920EDFCC5CC6A3A4DD6B30AAA0D5D795B9808666B70E7D1FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:45.821{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB06B4D679C3A9FFD999498BABA4A05,SHA256=ADB231427EA8CEC631BFA00E94E627847334F443194CC62ADB0E35FDE2E79ACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:45.749{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DC819467B47B02D19B19F0A6AE3F03,SHA256=44BA234C1D4E2A3AA884C5FCC45F9FE0EBAA11A9FCE907093CF7B24C343B6E30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A106-618E-4142-01000000CA01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A106-618E-4142-01000000CA01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.797{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A106-618E-4142-01000000CA01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.782{B81B27B7-A106-618E-4142-01000000CA01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.765{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9BFC396CD94A1B938B2BE6B6F9161C,SHA256=244C09924B467D7D53C8AD9D05CB130C761FE280CF8529CA8F8A7671CACE52A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.885{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AF36BCB6C5301CFBA9DB8DA0C0487D,SHA256=5C1887546C1CC4A96679CB604B5A91AE3B1216EC574FA635F88808988E7EB540,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.713{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107400398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.713{3BF36828-A106-618E-D810-01000000CC01}3325712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.713{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.713{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107400395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.557{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.557{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.557{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.557{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.557{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.557{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.557{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.557{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107400360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107400355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.541{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:46.526{3BF36828-A106-618E-D810-01000000CC01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000055902230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000055902229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x29aa4a01) 13241300x800000000000000055902228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7e0-0x65eb3fdc) 13241300x800000000000000055902227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7e8-0xc7afa7dc) 13241300x800000000000000055902226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7f1-0x29740fdc) 13241300x800000000000000055902225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000055902224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x29aa4a01) 13241300x800000000000000055902223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7e0-0x65eb3fdc) 13241300x800000000000000055902222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7e8-0xc7afa7dc) 13241300x800000000000000055902221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:14:46.656{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7f1-0x29740fdc) 10341000x800000000000000055902220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A106-618E-4042-01000000CA01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A106-618E-4042-01000000CA01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.108{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A106-618E-4042-01000000CA01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:46.094{B81B27B7-A106-618E-4042-01000000CA01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:47.797{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DCD0D2C5A64EF715E9E9C9D251A0F7,SHA256=61BA7EDD9385BF9B8F2C0C0E14E971C86461FA9F33522E7C32E834F6765D1944,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.947{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.947{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.947{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.947{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.947{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.932{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107400472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107400469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107400464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.901{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107400456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.916{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:47.297{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B2D53527BD6D307B107FA7262CB25B,SHA256=394FB1E9C285AED428FCED0EF22E34E64AD953DCCC184845D8E2342FD47AB36B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:47.297{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A55433D78CC356987078DAC09FCA71,SHA256=AC1391310462F73B29D80180F4295637E22B2E37D2D11860BACF4815E6B8F792,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:47.000{B81B27B7-A106-618E-4142-01000000CA01}58402452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107400452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.541{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=931C3D23654A4F0E487EFA1ECDFF7FC8,SHA256=97C6896A769D5E6D98A93E64FEE6181914B024C42917AEB6E329FC7BE1D6247E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.400{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107400450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.400{3BF36828-A107-618E-D910-01000000CC01}51684332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.400{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.400{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107400447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.244{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.244{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.244{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.244{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.244{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.244{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.244{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.244{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107400412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107400407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.228{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:47.214{3BF36828-A107-618E-D910-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:48.828{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB26D6759E12A32D2063E83D8311DCDD,SHA256=2DE85B5D5BF72D7A6130D616C6CD166AD166723F5AD38BF54A51AC0EC76EC7D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.900{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7E38BDF615941E6920514337FF930F,SHA256=B75996066B41A3D285EDCD0A22EFBC2DB7E4FB9D206239D49450E70B7D8094FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.650{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107400561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.650{3BF36828-A108-618E-DB10-01000000CC01}6963200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.650{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.650{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107400558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.650{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FA3AEB44A908DBF96517B51798C18D,SHA256=AD6CD3B9A63E95CA34B0AD85EB9A4DCB667697ED2A58788C20F8852596193EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.494{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.494{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.494{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.494{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.494{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.494{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.494{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.494{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107400523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107400521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107400516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.478{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.464{3BF36828-A108-618E-DB10-01000000CC01}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107400509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.135{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107400508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.135{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.135{3BF36828-A107-618E-DA10-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107400506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:48.025{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15033401691BB3F8AF65C0923DCC2DA8,SHA256=C7145DCFE937CBD2A2DC47BDAA30A7583C6AA584FF5571C10DE513DDCB2C53FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:49.859{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9B9E10C5B330DE4BAADAFFD43E2031,SHA256=E4FECDA7BB99F2337CF6845D3E60FEC19FD3BC5120FAE7FB02ADCEB286B752BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107400671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.885{3BF36828-A109-618E-DD10-01000000CC01}36044648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.885{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.885{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107400668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.728{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107400659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107400644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107400632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107400627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.713{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.698{3BF36828-A109-618E-DD10-01000000CC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107400620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:56.494{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61397-false10.0.1.12-8000- 734700x8000000000000000107400619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.182{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107400618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.182{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.182{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107400616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107400607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.041{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107400586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107400583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107400582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107400581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107400579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107400576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107400571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.025{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.013{3BF36828-A109-618E-DC10-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107400564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:49.010{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37607FE5BD5AA3B609613BBEB36D7FB0,SHA256=BCD05B0E7577B87250290484391EB72CC9A68E50F0F836B0894F0137EEC6B707,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:50.891{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1543E67E4B86D5CF7691D8B4E922D6,SHA256=D7335E17B7A21466217BE38BEB5AE56B3DD28CCF94D75798CE9C2D793BC6B862,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.557{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107400724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.557{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.557{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107400722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.416{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.416{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.416{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.416{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.416{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.416{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.416{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107400708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107400690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107400686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107400681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.400{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.385{3BF36828-A10A-618E-DE10-01000000CC01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107400674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.182{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603000BD415AAD57EC21EBA3F2C24469,SHA256=3521966B2C7D089FF8D7A2E703B48DC1D46FDF118F5CE2E6A6559D327A461D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.150{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918FC3037739B713BB32521708B25C84,SHA256=E151B5DC56352E100379ACFF6D5CC7BDC329C05085B17FE020B8F3CBB5F36FC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:50.150{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5528F6E8C9FE593663441DDF9FD69C2,SHA256=F392F03E9DEA5C6B0F04F67510F20CEA1DF381813E4A829A0969BEADCD44ABE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:51.922{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A6285DBDD1388A31028B5334459FAA,SHA256=D5AC1C30620249B7D2E7C313FBF53ACDC30E49130B37C09F41968CC0674E8181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:51.385{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F708181E70D1C20D9BE33C37D7C25A1F,SHA256=D07E2A5A52EE397A12BA42D1BF3D92FDF0EB2B33B1B0E5619EE0E5F157EFD693,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:51.322{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AC00BA73D2D0C20D8C265912F7BF86,SHA256=D79ADD7D83E93F71B922AF571BBA0DE049095A74AAD8DE96C0366E62B76F4C62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:29.688{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62770-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:52.969{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C45198BBDB6DDB1EC4A29C45AB7B096,SHA256=791BD68AB2658E2EB9B398A2CB9E94BFF16CE84B51FC24D94176AD1B98A6465F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:52.369{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDC8B9C9BD4B7B179A09C9B60BBB99C,SHA256=36391CE21A3F3CC0E0BE9089FBAD8252B6C56AA6ED106EBA661455D322D2C326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:53.984{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40303EF497557D0FA7F207503E0569E,SHA256=7BEC03F5700923EE43C84E0BA93C58488715538AD3639B547AEF5602B713604F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:01.572{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61398-false10.0.1.12-8000- 23542300x8000000000000000107400730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:53.385{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1570F5333978EEAE440207281282AD1C,SHA256=4FFF553ED1F47CEE112C9842476A45462457C3648D40175BCA7B99F1C5D5812F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:53.182{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A730E03101CA6E2D748304EB9E0D898,SHA256=AC45AA87C8A142978E9EF9CCE85490A1A07B17B6908A7352500E30A1AC0F6C49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:54.728{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4524479370906AD66A28E8414B595DC0,SHA256=4DD574B618708E8D81A08A41C0304533618CE42400ED03039103CC5778A083CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:54.400{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A109383DFB888BAC63BBB8E1096173,SHA256=7577F0BE31C5D7A7742D221C4B2404BEAD0E6C64CD7CB3EB00D2F6A9126247E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:03.090{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61399-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107400735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:03.090{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61399-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x8000000000000000107400734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:55.416{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B488249D77A9C5D3EA57C29361D43CA2,SHA256=1536B5C8F14004A23DD8622691FDCCAF53A9DB3745796891266D7F0827013DCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:55.015{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBBA6611A61039D255952BC73D0FBAA,SHA256=41F29395EEE70B5112CEFE503BC8580E779962A4BDFC03169417F7D1408BA53D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:56.572{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BF02B9C6AFFB3E133D781A3486233D,SHA256=F977B051F89F22D78913D86E4E558E040E824B68439CC07A33808EEA8EBDAF5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.953{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A110-618E-4342-01000000CA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A110-618E-4342-01000000CA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.937{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A110-618E-4342-01000000CA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.923{B81B27B7-A110-618E-4342-01000000CA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055902271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A110-618E-4242-01000000CA01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A110-618E-4242-01000000CA01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.422{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A110-618E-4242-01000000CA01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.407{B81B27B7-A110-618E-4242-01000000CA01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055902258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:34.750{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62771-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.031{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4ACB65756BDBEDBD3477B727D638DB,SHA256=066186D186A59513E51ECFA81B6C5E736829AFDE92F7F103E089CEF1F4CC46C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:57.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DE22C3A9949DC3861CB1F59DB7669C,SHA256=A44370DE01C49FAD022F2D20759163E013C49587566394E4F865A97221D394B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:57.453{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663CE761DD137C5B1DEE5C47BE720020,SHA256=192A5C3D8B84A255A2D33356BAE649EC5A6DD318117CA6B6670901C42E191D20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:57.453{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B2D53527BD6D307B107FA7262CB25B,SHA256=394FB1E9C285AED428FCED0EF22E34E64AD953DCCC184845D8E2342FD47AB36B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:57.297{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4703DAB74D2A42335005AA3C5A034433,SHA256=9357D4C6E7F6A0B86828DCFEF988EBA9D157B3C4CD2FA855F4683FBA057F01F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:57.172{B81B27B7-A110-618E-4342-01000000CA01}48643616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107400739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:58.791{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000DD6B4F3B2CE09EC8B20A342E10087,SHA256=2277A522CBA57BBCA7A91F2ADF8F0339670B7C1C211E7AC6714459002215C83E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:58.219{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74896264C079A57699E180B6B48452E,SHA256=4441CB65B75A70EA80BF3961065361ED887A438635CD867AB9D52D39D1F91439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:59.807{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8284D6B4D39E7DB58165CE4447DF4D5D,SHA256=1EC6DAFB60B5566564B40FCE80D8DCA8A9855AF29044E1B636BA06857C16723D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:59.437{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C38B00F29F8C9CB989D0590E6A9921F,SHA256=D9D90E711447153D0DA6FA93E5B51F920F84E22B57921CEB66A678805387439F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:14:59.182{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAFD19BEC4CA04CF0F332996FB8A4260,SHA256=781EB742D0A779AE040561CEC4F79BE333E90BD7CEC07DA6D30EB7A309EB27F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:00.807{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B099115D2BD2A62B80980ED6740F21CF,SHA256=1FB0A809042B8450478E1CEFAF917E584ACBAC8FA23039BD2E112D9E5184E78F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.906{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A114-618E-4542-01000000CA01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A114-618E-4542-01000000CA01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.890{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A114-618E-4542-01000000CA01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.876{B81B27B7-A114-618E-4542-01000000CA01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.517{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072BAAAACED051C08A0E9D9DBD716571,SHA256=E52A573446C44CD03E071A99BDBEC90580A183CFA04EF5E9BB6C4B06CE92D712,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.561{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61400-false10.0.1.12-8000- 10341000x800000000000000055902305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.407{B81B27B7-A114-618E-4442-01000000CA01}27926024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A114-618E-4442-01000000CA01}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A114-618E-4442-01000000CA01}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.203{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A114-618E-4442-01000000CA01}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.188{B81B27B7-A114-618E-4442-01000000CA01}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:00.047{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A0A5665D59143F211F72EB71521E1056,SHA256=0B3F3631A01BF3468D53E16E8548F8B7165D85593034188AD2A7CD91D978561C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.857{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132BD965EAF094E88AEF6FDA71B38F9F,SHA256=789306D32B9CF2B36AECEE896AC0D9F6CA4E087294C0D34E75D29B0F58B70339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:01.807{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183FEFBE9735D0A421913C2C5E273F2C,SHA256=FE2F6EB708BD2C1FE9DFA72DE5ECF2E5D3C7A1A472F6877720428ADA466B6C90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A115-618E-4642-01000000CA01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A115-618E-4642-01000000CA01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.592{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A115-618E-4642-01000000CA01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.576{B81B27B7-A115-618E-4642-01000000CA01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.216{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663CE761DD137C5B1DEE5C47BE720020,SHA256=192A5C3D8B84A255A2D33356BAE649EC5A6DD318117CA6B6670901C42E191D20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.138{B81B27B7-A114-618E-4542-01000000CA01}7524892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:02.891{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24794E6D7A6C7C0FC6E7CB01E58690F,SHA256=CB286BAF1D97D3603FCE29CB9D32A11632AF25F616F612109CCCD51F18BF0EAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:02.900{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304FA56EEF906B9F7FAA008018DC985B,SHA256=FB40DBF6395F90B48DA8840A2CD9AADC8C488E0AEB46CC33A6ECFA7031787294,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:02.813{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CDF1DD1D79551E84F1EA87FA1C17322,SHA256=0D608E6E813CAC9D39A7ED8C19445906BD01F917286EB32D274A6F55D6D2598D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:40.594{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62772-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107400745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:02.307{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=107921B1BD99189BAB2EF7529677C10F,SHA256=8E612227E4CCA4712E7D5588DBA75725F26C5B48847067FE33465E35989BF604,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:03.907{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B717DE52D722221E3CD4B13CFAEF69,SHA256=E28B078D7DBCD00D83E9289C5C4067A1C4B53F1E9975D23922A99D88D7F9C0CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:03.916{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07822D74997A9645B131C7D1FBE4A06B,SHA256=C9A6035756187FC53BEB2E8D2E7DE01BDBF7DC4BBF9F5C3B896AF157FBAA5B9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:04.907{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169B60A39F4A91A945F6315262902DD7,SHA256=D1967BF8DB584446EE8EC47039BE1CE1A14F7DDA2D8F8893362E3445CAE51944,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:04.947{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A9211C889626957C23B384BA6E97A0,SHA256=00F3E7DBFCF9CE953BD23113F68D06F3CE3B1EA650F1F16D29C4E5CBA753CF63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:05.923{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD304674D1BEEFBFEA06F73E6351036F,SHA256=6D1C356D65B7E8C60773CDBC34BF49EDB8AA84787C5E63B2BD430FD4FC0816B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:05.947{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1738653EB3DCD34747C5A99DE9A52649,SHA256=C158AD1CCBA9C6D451EDFC4B1A0A321DC67F82FFE69EE40119BD4C8B990CA66F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:05.916{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:13.557{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61401-false10.0.1.12-8000- 23542300x8000000000000000107400749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:05.150{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02201835D951995969389A5562177EE4,SHA256=97A27CA2C19ADE76200BE61A0695AA4345375613EDFCFB77B80457DAD614C273,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:06.960{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65275BB2BF05308C1A7AE5F45239E5AD,SHA256=A96BEF2D18D4DF85CEF84AEDA170CB523ECD1612B20EE3405574FE5A05C90204,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:06.960{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5968040EF9E312E25B9AF826E70A693,SHA256=3AC48BA8BB55643263347C205E7EE3ADFFE20CCB223244FAC6AAA18E1566CDCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:06.934{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317025B55450544EB09D49B97D43C911,SHA256=6C4142E612388F789C9C800BF2486D2BC62CE20C743CB2CEE7632DC177E7E86A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:07.950{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AA84F5FD7EF8D8112CD3CCB58BC26A,SHA256=4B2361722F1A4A3DA80866C68A7E91D8149855B10A0BA513A86906E16084AC86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.538{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.538{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.538{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37C,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x8000000000000000107400779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.538{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.538{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94,IMPHASH=A243271C363636A670D5D150D4D338C9trueMicrosoft WindowsValid 734700x8000000000000000107400777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 10341000x8000000000000000107400776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-9797-6185-0B00-00000000CC01}6361884C:\Windows\system32\lsass.exe{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\system32\sc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-9797-6185-0B00-00000000CC01}6361884C:\Windows\system32\lsass.exe{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\system32\sc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107400773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 12241200x800000000000000055902346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-DeleteKey2021-11-12 17:15:07.544{B81B27B7-F665-6183-0A00-00000000CA01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\maliciousService 13241300x800000000000000055902345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.localT1031,T1050SetValue2021-11-12 17:15:07.544{B81B27B7-F665-6183-0A00-00000000CA01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\maliciousService\StartDWORD (0x00000004) 13241300x800000000000000055902344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:15:07.544{B81B27B7-F665-6183-0A00-00000000CA01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\maliciousService\DeleteFlagDWORD (0x00000001) 354300x800000000000000055902343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:45.641{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62773-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000107400771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000107400769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-97ED-6185-9700-00000000CC01}60884192C:\Windows\system32\conhost.exe{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000107400766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exeMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92trueMicrosoft WindowsValid 10341000x8000000000000000107400762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.522{3BF36828-97ED-6185-9600-00000000CC01}60806104C:\Windows\system32\cmd.exe{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:07.504{3BF36828-A11B-618E-DF10-01000000CC01}5584C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exeSc \\10.0.1.15 delete maliciousServiceC:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x8000000000000000107400757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:15.354{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61403-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107400756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:15.354{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61403-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107400755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:15.307{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61402-false10.0.1.12-8089- 23542300x800000000000000055902350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:08.966{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2679987FE3D5823051B52BBA728D9618,SHA256=F73319A203A6B011C15235A89F3F4B501C11AFEE372727A1445C11403F254732,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:08.491{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B8F6F477809D080A5204D462BA224D1,SHA256=88EB2C3EBF8BA8100A49880DA00AAF604EE060466012B6907B950A747FABD5BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:08.179{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD1E4E35FDCBBDF21E8419277EFBB08,SHA256=7C94C23A46CE72476FDEE6C1C7AA4ED447EEF130F31AC3F690236EBD9959C627,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:08.606{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE93698CA1D66092F7AC70F1C8772B79,SHA256=831F2C24B07D7B0E0FADB69EAFE90874D6D326014EA28AA02C48CA77496925E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:08.606{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4EE13CC25FDFFC28A9A4689D3CDD74D,SHA256=EB87DFE256A496DADF61252ED3385FD264BEC03B2E31D975D1DAA168E93051D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:09.981{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0382C057477E6DA253D911466E7223,SHA256=2884F162F7C5021FD5474B315815B9BFE215C18FE7579D6466F654920DCF700E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:16.958{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62775-false10.0.1.14win-dc-128.attackrange.local49672- 354300x8000000000000000107400788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:16.956{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62774-false10.0.1.14win-dc-128.attackrange.local135epmap 354300x8000000000000000107400787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:16.949{00000000-0000-0000-0000-000000000000}5584<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61405-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49759- 354300x8000000000000000107400786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:16.944{00000000-0000-0000-0000-000000000000}5584<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61404-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 23542300x8000000000000000107400785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:09.241{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD56E293142BEAAEFB212000BF957125,SHA256=817BFBF80873283735C3D46E515852F35EA3471BD8DC1256E73A0259AF8B37C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:48.088{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62775-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49672- 354300x800000000000000055902353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:48.086{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62774-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal135epmap 354300x800000000000000055902352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:48.079{B81B27B7-F665-6183-0A00-00000000CA01}624C:\Windows\System32\services.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61405-false10.0.1.15win-host-987.attackrange.local49759- 354300x800000000000000055902351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:48.074{B81B27B7-F665-6183-0D00-00000000CA01}792C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61404-false10.0.1.15win-host-987.attackrange.local135epmap 23542300x8000000000000000107400791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:10.288{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFDAF4EFEB5C42FD3B7C86AEA719F48,SHA256=3C5D7FE4257C1262E6E5E7F7962FE95CDC7A987BDFF03251B59D31A04FA21D3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:10.257{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=660CCB2BA08BE2F691D6451041627B07,SHA256=0F685B5B24B4AA48644801E70AE86FD07ECF250242E628464452A92EFF5ABCF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:18.663{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61406-false10.0.1.12-8000- 23542300x8000000000000000107400792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:11.491{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FFF537DCC7E66B1C222B86E070EEDF,SHA256=1023147813112E9BEA2DB5AFBD9507CA043DB0D292414C472B33D93FCA8D9BD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:50.731{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62776-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:10.997{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD94DA607137B54803886279BFC4288,SHA256=850366656D11AA8168FE627E3496B72B632724206C5D2A24EA244E131A064BA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:12.538{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BEFD4A25A0E9BB0B2152F2FCE2DC7F,SHA256=759630A9947775E3313E5FAC2D0E55EDC422858E83FEAB1699F90916638C8C69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:12.012{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8995E47FC54FEE9BC3CACD76D969089E,SHA256=1491DCAE45292822E8226B13727FCEB1C8498FAFFCE5AB04B43D5E68F93B0661,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:13.585{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0CF22B73631FB7356A516A9BDF3D503,SHA256=DE53281A546E2873143A5B2D933EE32BFAFE2727CD8C1CAB95B1DB2467D98349,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:13.028{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233C8B8C3240F3C11FA11654A6F8E67A,SHA256=A4FDCDB53EFEE8A9BDD3445125DD5D3EEDC5A5441A5112CC52E790DEF300E65F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:14.601{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C51F4A1355095182F682597CB02050,SHA256=564DDFEC0052BC6E7463D93F967BFEBD621F23456E67901C922E07F1F27C96A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:14.247{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1EC0CA6EF0E0D004C7F07CBBEF7E17,SHA256=5BE45B15E65B0E7803BEFA2BE3C4B7F6AAD49F87D08B3FCDAA367A0A225BEB43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:15.632{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DA6B7D17431CE730765341F8C4E398,SHA256=3594D6B2336EDCD06E6A65124A067A8095799C899C1FACB14773696E430FEEBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:15.372{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E96920EF00F85F027327B08B4FFB8E,SHA256=4136250B10F228DFE5FDF9C052110291E8B8CA9BD03C0FABD2E152269C2954B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:16.851{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB535869A739A77988FF2E08903DEDA,SHA256=821918F113B6F15BC9ECEC50E81B6743C0BE06897631DF77C234C7781EE62102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:16.403{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A01451EB2D0BB73790A80608A14CD2,SHA256=3CFDF3846362958C06BE5FF597D4EBFDA391F007B5A4DFC6B87A0CAC6E643E71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:24.429{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61407-false10.0.1.12-8000- 23542300x8000000000000000107400799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:16.054{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D10721E60C21621F99C24CC3D78DE1D,SHA256=6620D929DD53362F8889066464BF6295F4D1793916F400D01574252274D6EA1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:16.054{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8369718B0FB72E9EB1D186692D4093E,SHA256=9144004D56FC14734E848F9A87071D206A22DE912A2F510DC05846F1F7B8E9CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:17.866{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986A1A0799F53B4BDA98BEF40C160D46,SHA256=53DDCB6534ED094746C1EDCD2BCB61E7BCC0F2393C7400E5B460E544F51D19D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:14:56.715{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62777-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:17.466{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C886967A4920B4A24B0A95D7638D7F,SHA256=8EA81EB34386CB542D8D766133F130B349A50AA91762D8F9EDC81A47FA4A950D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:18.960{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AE476BABF6D360D5247F47EB9D99D,SHA256=38A66BA7C1DA7461671EB636D7D37A282ABDC44E11E50BC3EAF921BF93F5CFE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:18.512{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF24971862110E7D41300FEDA87B899,SHA256=910DE5F64DBF1F9826D3FBB976EFD662CF05D721CDDF031AC8030E1BC9AEA71F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:19.960{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE1F87CD3A760C69B48BED6C4BE63B7,SHA256=EBEC4610EF4BA8F4C6C9BAA1ADEEF4C7421631D034DB81FBE84867E72F2F0B0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:19.653{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3AB7958E9DE708E2A06AD6F6D5530D,SHA256=2FD648FD95A4D3292A8019489A78D4077C4477D5291F879A2C5A4FE080AF0EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:20.960{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7415AE4D5500B974BE332D847F85107D,SHA256=885CC7953164ADA18B2FABA5AB2613733EABA33DBB9161659D612DC5976834F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:20.684{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF0916F829AD22E82421EB233709EAC,SHA256=0E616A614FBBCF3624CC85592DD6A78D2BE6DB194179B5577F6256E8F1D2A94D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:20.601{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=422496BB5FBCAF163F5114EC5B3A5F4F,SHA256=C95F4D85DDB023A9A9ED293F2C0181A0CDD5886C8E5EDEC0F2A863F886B27446,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:21.976{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3E189668D65F62F77227A22759A285,SHA256=B0D12BDAE02980993C29701F4D1DBD537B6DFE9428CC87F5B412A83864FC946A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:21.715{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D571A42C6ACA3831C523F59A6F11714D,SHA256=8D4682687EAB9FBF7F0A4556CF864BADE3DDF61C9C9397799765C56180135FB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:22.976{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA83C8F0FB8465B84F8FD52668EF4FE4,SHA256=1767772FB50599A46B6AA288ABD0836E3B399EFB752F16EBCB567C270580ADD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:22.731{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03A545CEF7D8CFE8F924E3424B5C37E,SHA256=80C019A5F070D88E742EFFA8D552E8AD5584389684D13B8B7206B3D5BEF63C00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:30.445{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61408-false10.0.1.12-8000- 23542300x8000000000000000107400809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:22.038{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB60517F7F017DDDD00B9269891A550,SHA256=51A29231F2BC0D294C87388F2B7D87CC8D363128A9FAECC5E628AEA004E02D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:22.038{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D10721E60C21621F99C24CC3D78DE1D,SHA256=6620D929DD53362F8889066464BF6295F4D1793916F400D01574252274D6EA1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:23.991{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E91AD04DC40FC3854FAF8751C7BEBA,SHA256=1F9E7FB57BF35B8C91300C8562EC0E938C6ACD023239590C650CE4F7E720C085,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:01.731{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62778-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:23.778{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886E0A05497159CA4161A86379C06D79,SHA256=E170B0C0D152732078FBC08D28AF2695C855D27BE1DF220AF3178F63B4C1A031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:24.991{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01AD93D369A26413311ACE794260B11,SHA256=BD411A0CA64AAFA9A71A2293F855024ADB120C9E5FCFF8DE7AB75666BF7F6C71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:24.809{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D329BB031B073807DF862F340EDCF17,SHA256=38C100079DA0A18D43A858DE9CB57FB8E9D4C6A22C30D0EE8D612AD2ECFEECE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:24.606{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:25.825{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6A1F98258176C28020D4F2ED29888B,SHA256=3BB4FBC54E26FA8F56EBAD017363EA4CE5E80B6B864404ED0AA7EFFA35E07C29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:25.991{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7317DAEBD250A03B83D98D2C7C0840FB,SHA256=7189BA8F5F86B4059EAAEF556447DEF2A8005083CAFDB29BAA8C6AD7C4D2D666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:26.995{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7827145C99D616DAF143160D19880CEC,SHA256=7C7AFE29E78F2A9C37E9232C720A73C6692CC115C30071AADC71FC78AAAD735B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:26.845{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF9CBE35597236A06A61D0F59A829F9,SHA256=195F60F41692AD3CA0AF619B7DA58B631EF21E9F901682C441F023B0A7879C14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:05.137{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62779-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055902377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:27.923{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF485632F6F2F6D2904682FE4CA82CF,SHA256=A19407B6BBF8D7537967B34D0631E23E5A342691BD51D68E10134F814E086CF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:35.570{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61409-false10.0.1.12-8000- 23542300x8000000000000000107400817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:27.167{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B072C631F58470923741589667A8D44,SHA256=0B3D6C35E0282F3F61ECFAB7F730BAC7FFCADB03862EA7AB271F0C91C54356F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:27.167{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB60517F7F017DDDD00B9269891A550,SHA256=51A29231F2BC0D294C87388F2B7D87CC8D363128A9FAECC5E628AEA004E02D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:28.027{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50C167F3F52913758D5F8A468224F5E,SHA256=948BF1EAA003BE7CC1BA4E97885BB71F3AF69ED662F5A116FC421BB48A23D358,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:07.750{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62780-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107400820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:29.027{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD98E547123CBF9B85733338D82FE50E,SHA256=E476F822F7A20BED13AA3D8A098BE3B8F9FAA2497FA938D896E46A55DE8FECB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:29.001{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC72FDDD4C0CE34544224A98BACB1471,SHA256=178F65054EE233CEBD47C9F41B369D2EC6DBD3698C44287AD1FBF5B3D2DDA094,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:30.235{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C3D0C433BB92ADD0698B00EB5B4F67,SHA256=F2FD857CD64AF04A59AEA5DA904B92C9B97C4EBA59BB7774E9BCE5B7BE2017D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:30.136{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE2D155964EF48FF5B5D30C341BBEEF,SHA256=842CB4ED2DA3AE233E0E00865273C1A52BB629820A184BFAAF7A9E2EF182CE50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:31.282{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3020BAAE3386A55165998F8FA93C877A,SHA256=C963B330A403818B54F60A49E4B5E98D815E82754FFA67AD1EBD09CB96514C8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:31.230{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F47BADD6FA708A1B371FEED2CBAC75,SHA256=2A5AD07D40A9B6E3D4F5E8F5DA649743854598F8E35940E29F09ABB8E2AD0283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:32.298{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198982C5887165E6ADB1FFA1CD3C8720,SHA256=EBA42F8C8C65185A8BD9424B8B49EC44298F494EE72DB2B3199782808D138367,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:32.245{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ACEE30BA7248ED4585968D07955754,SHA256=C5D11E0858201CAC89FD4E83B5460EC5931C665CC3478C2C5899203109307E9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:33.313{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A3BD3EA691D446BF11C579CFED8882,SHA256=A4AE7079466A3C183A3F7AD197FB8B5BEB8DB02131003697705BE3E348BD1997,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:33.245{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CAFA8550F677855CF284E1F67C277CB,SHA256=0CB4F84A562B0CB037D1D918B73BC2445B2A7B13248000F9AF27097FF1824FEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:33.198{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=492289E832C3F7E7183B0FA296E275E7,SHA256=415A4EBF5BE7DB2D93D8CF596C0D5A5BBF7D71662618AE6061F608AAF790F6B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:33.198{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B072C631F58470923741589667A8D44,SHA256=0B3D6C35E0282F3F61ECFAB7F730BAC7FFCADB03862EA7AB271F0C91C54356F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:34.329{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A101C5E28B766633E46DCCC62F61369D,SHA256=47A6F82D69DE7973C470066C1B13DA1F3BEE35CDDA05FBF8D137B3A2099B6FC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:34.247{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB8403A0782165B593ECEA195B82E60,SHA256=B16B0B0077FE1657DAE905F0EA51002907E802CF2F61271C9DD1EF630E83CF85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:35.329{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17943AC2856C7864A0A587B1B551368,SHA256=C4A589461ACBC6432EE4D632E84D342FF87BBC3ED81A16B809E158151737EEC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:35.259{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4814EB7405761D303F59A6D40EC94ECD,SHA256=2D9AEB606A53E735480428ED06C0A1D5D557C6C919B28DE6D5D3AA1AC8EA7076,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:13.750{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62781-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000107400828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:41.605{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61410-false10.0.1.12-8000- 23542300x800000000000000055902387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:36.345{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D38725B00B9D0286B849A93FDFCFB3,SHA256=E8782B3F0296CF61FB27797C9AC00023C4B5F512034C2C8EE62E82127612791A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:36.293{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FCB115CDFEB8A3E20E286263650D72,SHA256=283A47F572A3D56685E5C99D808EA33BE6E4E33A9D0453BFDBAC14491EE9A872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:37.360{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3230F065948D507CDEDB44E8FCBA9C6,SHA256=EEF7DC4274F8E7F54A3CA899A2C2373E7D5610FD99CF6925F9B0E27DDBC72E92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:37.371{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE42ACAB43AF8D5E8018BA70048DE52,SHA256=AF04305BB9AFB1ED7C1C22EDEF9AFD736E246D957B95E80F666FF5130A29CB36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:38.376{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6181D54F64E08782AB04422EB016334D,SHA256=5A7CBE83D2DD5A78CC0948B8AF8D2D6F6861DC385F0877A604B2ADA9371A51AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:38.371{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336BEFDDD993C4A19F6A2B0580DA2C1A,SHA256=4B3C1E8643CFB6FDE923D26C58591507B18248577BFD5AB31DEC5D94815747EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:39.449{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E5F4FAAEBCE52805043921A9EDAF68,SHA256=11C5CC1B6C2A84746BD9DF33ABCCAC580D35CECDE0B18E4B28005E8BEEA4FB3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:39.391{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF09C8F06A5668130709C9A05232087A,SHA256=EB0CAA666F19DDCFCD4EE8035DE9D1C335FBC753DE47663C3721253FD493D7DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:39.106{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E368495D9C1AB4840FD5E315A183E498,SHA256=BDD9E2B421AAA186A1835120B833248DEB8BD4245EF8AC89240FBF76376F8463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:39.106{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=492289E832C3F7E7183B0FA296E275E7,SHA256=415A4EBF5BE7DB2D93D8CF596C0D5A5BBF7D71662618AE6061F608AAF790F6B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:40.449{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17FA49919B5145B8F140341F9CF4648,SHA256=6808869EAC398A1E56B930397702C5213635437CFCCC275E7949EF8DA4E8DBEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:40.407{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27178AEB8CD45A603655A275A49C619B,SHA256=AEF35F9B2BF50207D4CA1237733EAFF2C9AD8CEACB064CE8845E4FB1530DEC3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.498{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61411-false10.0.1.12-8000- 354300x800000000000000055902393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:19.719{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62782-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:41.423{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3882AB622BC827E606C14FD0AA7E403,SHA256=2AD6EC2AB97217229E15498F31D26984C59FB4042F73DC25B957BC75F8A1CC45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:41.449{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C684E1DA0F38C0AF4922D7CD77E35212,SHA256=3B5390ED822BB869F099B6F0DEEDD4515054BC19AF875DCE61BE1D14201A9D3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:42.501{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5CB105B73D603FBA62B47DED00845F,SHA256=C72622EA4C04AC3D622B59929ADD50D76F7D00DDE369BCB785507EB5EE5834F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:42.496{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2027DA3F589EB2676C9BF31C8BD7A9,SHA256=DBBC9F7884168077561C375EC9B7786DB55B03747884AA0CA36FA64A4CEC1AC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:42.340{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E368495D9C1AB4840FD5E315A183E498,SHA256=BDD9E2B421AAA186A1835120B833248DEB8BD4245EF8AC89240FBF76376F8463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:43.735{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAAE42C76E23976F23CD5464F434674,SHA256=8EA585E8D7BF2380ED64BB40121DFF3A07975B1BE5CA98EF34CC04A33C8BA356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:43.528{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7E0D372F4835DE9916C8B6FFF239E8,SHA256=2756ECC2D70A55F49D9640EEA12A755C1D88A50A1D4C7083A26A804BA89F77AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:44.829{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC9E70497DA41D89D7A17567E8AD59E,SHA256=4AAD8D8F67E03A2E7B64D5E9808F68273C0FD734B58D528AB739EF7D128DE1A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:44.778{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBC909FC4B1F963B6E0F96E8D6BE11F,SHA256=02939A5EC778F29D59581E1234DA798F3D776B720E50022562521A4ED903B6F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:44.153{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F978E40D01B5D4D99F769EAA2C428C,SHA256=44A4040D010939E49B9B572396C0BACDBCA45B7E28389EF26E2037A05E99216A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107400845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:45.824{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4242BC20F21D174FAC0120F6FC94CDD4,SHA256=0F2DA3647893BD3E47BCF1117CD49E3CF2FD5785C1D1FC465EEB9AF4FA6CE9D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:45.860{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF46FC8CACBCC8C12B0DEE617A638C77,SHA256=3E3AB981C99EA12E1CE17A0F1766BAC4B251CF4403104FAFA9A234567B8BDDBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107400844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:52.560{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61412-false10.0.1.12-8000- 23542300x800000000000000055902424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.928{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4B6517A1F561390BB02B88CD941B87,SHA256=642341DE69950F49B5CCE9D4D9C1D880823CA678BB42E1F02EDB35050F6C704D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.719{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107400899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.719{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.719{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107400897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.563{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107400888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107400866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107400863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107400862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107400861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107400860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107400857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107400852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.548{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:46.532{3BF36828-A142-618E-E010-01000000CC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055902423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A142-618E-4842-01000000CA01}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A142-618E-4842-01000000CA01}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.818{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A142-618E-4842-01000000CA01}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.804{B81B27B7-A142-618E-4842-01000000CA01}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055902410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.141{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A142-618E-4742-01000000CA01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A142-618E-4742-01000000CA01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.126{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A142-618E-4742-01000000CA01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.111{B81B27B7-A142-618E-4742-01000000CA01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055902428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:25.765{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62783-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:47.334{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E050DA328A06DC62BC5F27AD7A470E7,SHA256=D60C43C8AC9219C55465DD23FA733076EEFA66C5456D249F414E0D9DBA891587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:47.334{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE93698CA1D66092F7AC70F1C8772B79,SHA256=831F2C24B07D7B0E0FADB69EAFE90874D6D326014EA28AA02C48CA77496925E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:47.037{B81B27B7-A142-618E-4842-01000000CA01}47884760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.907{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.907{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.907{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.907{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.907{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.907{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.907{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.907{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107400965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107400960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.891{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.876{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107400953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.375{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107400952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.375{3BF36828-A143-618E-E110-01000000CC01}46485780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.375{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107400950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.375{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107400949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.360{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6226DA83539EC5B9D112B15726826FA3,SHA256=99C8D3F888CCB6C223F36F58877AC9B8B73E9437D609AE5F3DBCA6265B984B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107400948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.220{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107400947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.220{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107400946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.220{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107400945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.220{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107400944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.220{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107400943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.220{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107400942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.220{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107400941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.220{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107400940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107400939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107400938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107400937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107400936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107400935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107400934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107400933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107400932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107400931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107400930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107400929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107400928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107400927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107400926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107400925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107400923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107400922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107400921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107400920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107400919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107400918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107400917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107400916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107400915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107400914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107400913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107400912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107400911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107400910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107400909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107400908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107400904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107400903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.204{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107400902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.176{3BF36828-A143-618E-E110-01000000CC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107400901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:47.172{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD20A63E31F8F39A8E67F6614839348,SHA256=52B714CA3CB640ECB33349E9263C33E65CFF7134F807351999682359A1CE0571,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:48.178{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D49F03418FB0BB47C0357AF22F486BD,SHA256=4707425113535238EFC7BC21A84CC3BBF2A6C335AA595D735A77718D35119A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.579{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.579{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107401061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.579{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107401060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.422{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107401059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.422{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107401058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.422{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107401057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.422{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107401056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.422{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.422{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107401054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.422{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107401053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.422{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107401052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107401051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107401046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107401044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107401042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107401041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107401039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107401038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107401037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107401036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107401035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107401033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107401032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107401030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107401028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107401026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107401025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107401024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107401019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.407{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.393{3BF36828-A144-618E-E310-01000000CC01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107401012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.376{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CA4105501DCA27247560EA912752B12,SHA256=8A49D6C94D03F2E8833E6719189F304ED60556B2EB4C7F15FB50EC0C36A09D81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.376{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7295020611A9F47A7A4FC5C4FA2F9627,SHA256=BE1523811829D9DDC0E70B27F9DC399BABC67480BA2A9F08A075FDB9BC695452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.094{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107401009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.094{3BF36828-A143-618E-E210-01000000CC01}11284140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.094{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107401007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.094{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000107401006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.063{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.063{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.063{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.063{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.063{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A143-618E-E210-01000000CC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:48.016{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16449B980BF12D705769BCA0F54BEFED,SHA256=75AA3E671E7FE54C3EACA4E04D9B845E93E7D86F2BCDD4F3E599DF13DEBB488E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.797{3BF36828-A145-618E-E510-01000000CC01}34804612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.797{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107401167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.797{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107401166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107401165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107401164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107401163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107401162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107401160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107401159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107401158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.657{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107401156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107401155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107401154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107401153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107401152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107401151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107401150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107401149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107401148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107401147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107401146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107401145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107401144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107401142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107401134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107401130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107401126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107401124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.641{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.628{3BF36828-A145-618E-E510-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107401118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.625{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF521B8545C1B553BC5F3A639F3AA99,SHA256=335CA74823DAAD26F330E65B9846EF85B513FAC9D375B92D36CA929D39410EEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:49.334{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772E5472FF5D7DE10E85CFBB805CFED4,SHA256=D89CCBB71D1DEF71BB3BA0DDF1FD883471856D01FFA762979129110264F7BA2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.532{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0538565698212D82FFA2D2500E6A0E9D,SHA256=BE81705DE0DFF8C27CE55C1AB07FCC5B6B27DC3BCF677646BE186A40C23AF4F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.532{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F585943C39A9DEDF3E555CD206C6B903,SHA256=300BE271F57BA0BE3FAB753DE731F8B47ACB2105DD49AD79C810EC555430D425,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.266{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107401114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.266{3BF36828-A145-618E-E410-01000000CC01}54564072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.250{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107401112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.250{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107401111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.110{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107401110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.110{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107401109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.110{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107401108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.110{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107401107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.110{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.110{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107401105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.110{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107401104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.110{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107401103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107401102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107401097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107401096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107401095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107401091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107401090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107401089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107401088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107401087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107401086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107401084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107401083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107401082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107401078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107401077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107401076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107401075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107401071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107401069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.094{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:49.079{3BF36828-A145-618E-E410-01000000CC01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107401224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.798{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6E940C6B5212058E8ABFBB604AA872,SHA256=BF71217A9D66C4D0C9E3EE306923D8F3814586C53681217ED5DA3BAF7435D951,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.766{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638CCC4C9773F588B8B804B963E7E6C9,SHA256=693771D6E77DD4E7BA2D0C96B122143AAA6F6996C3D7E3F054FFB035DEF7785E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.766{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=639F80AA2FDFCA068FE8747A637FAE02,SHA256=384648C7E0B7B66935BA4B84463FB2AFB4CE1F0B44694FBFF1F2F63F0EF3214C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:50.443{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557A0736D3259D581A7DCA1517532BBC,SHA256=B98B8D22BA89B40CDD5B692CF09472CAF209A3D00A32941A9ABDE915E80B8CB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.500{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.500{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107401219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.500{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000107401218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:57.627{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61413-false10.0.1.12-8000- 734700x8000000000000000107401217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.344{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107401216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.344{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107401215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.344{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107401214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.344{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107401213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.344{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107401212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.344{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107401211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.344{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107401210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107401209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107401206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107401205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107401204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107401202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107401201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107401199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107401198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107401196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107401195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107401193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107401192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107401191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107401190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107401189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107401185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107401181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107401176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.329{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:50.314{3BF36828-A146-618E-E610-01000000CC01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107401225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:51.797{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94AA77AE1E736CF3989DE1B5B6A3129,SHA256=CF978A5A3FA2157BD649C246F43510DA3B1E808021622136E7273F4FCDA09659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:30.802{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62784-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:51.490{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37609D8B57782A19B715725C01BE106,SHA256=57264037819CE044289C4F2E3908C4A3DEC6E87507A64F0499EA81CC3E99E4D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:52.860{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E97732F2A259DC9F679986B2C95E92D,SHA256=D36E0C21AF51F67E8D48A2609EA7D289E38307EDEA57285D8DA10F3C3FED7128,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:52.506{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E5B8A0C6DDA8CAB3CE0F360BC83765,SHA256=0CEE171FA50F7D3F630426F132F53C64AE357D16626BAD997342956E8448734E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:53.938{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99DDDE9765C0A58FC0114E6EE01ED80,SHA256=F6CEEBAFB68D8CE6ED3F6A8BE8AA39B775D8DCD744B4B5AF229070F602E6F42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:53.553{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DD676EABA29E577F2CEC029A3AC0A3,SHA256=16E8825B988E529D84A2E1DEA0E78741ED3426BE6D8D5D657E531D02023D38E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:54.584{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE37952F87AAAC265078BE6CEF4458DA,SHA256=6C9577DD20B3ACC52C3235DCE4843AE48A05A43666B78ABA1A12AAE60507731C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:55.600{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385D20D208F154C3C79F7393DD7A93E0,SHA256=CD191EF584554D22D312C346ABB4A458B2F77B2D5BA6B4B9440827034B7E427A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:03.596{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61414-false10.0.1.12-8000- 23542300x8000000000000000107401229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:55.204{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0FCE4E0C9406012563859DD6AD7CE5C,SHA256=06DAECBF73FD0C4F35FE044FA453B82A0A8DE8B6F6295B88D5BC639740E0136C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:55.047{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDDC524EBCD905522400E1F96F12873,SHA256=CAB032F7F41DF6CD8121C25F95096F23A123C7065E7F4433F04EB1AFECF400A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.678{B81B27B7-A14C-618E-4942-01000000CA01}36041644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.631{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A4C814696421BA56EB2057ED2E6055,SHA256=6CD14C6575B322F1374E8F7F43EEBCEE9583905C44273856DCF540371B3A9A95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:56.047{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217716B7353584F2F8D67722A86C4A8C,SHA256=805D07D4FCF87B322492F27851AC5BC39A9B9974A79209C8BA7C95EC4A694A1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A14C-618E-4942-01000000CA01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A14C-618E-4942-01000000CA01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.428{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A14C-618E-4942-01000000CA01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:56.413{B81B27B7-A14C-618E-4942-01000000CA01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055902469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:36.567{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62785-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.646{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6120ACAAF063993E29444C9E9B4389E,SHA256=16D5BFD69BCB5A34AC310A311C57422F021BE54CD214FDA40E79081FE78095F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:57.047{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471133BE30CC655EB282ECFCC4E9F0E8,SHA256=1BDBAC09AC404D94577F10B7F0892ACA602072B410DD237387B1DF97AEC54DDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.443{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=861CE61A987F600F8413F0D0A93A214A,SHA256=CCA2D8C2A0BA1BBC30846D4E8CE5433EAC82A4977D3AB4DEA97DF975818AC461,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.443{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E050DA328A06DC62BC5F27AD7A470E7,SHA256=D60C43C8AC9219C55465DD23FA733076EEFA66C5456D249F414E0D9DBA891587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A14D-618E-4A42-01000000CA01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A14D-618E-4A42-01000000CA01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.115{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A14D-618E-4A42-01000000CA01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.100{B81B27B7-A14D-618E-4A42-01000000CA01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:58.662{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA75CF26990E1398FC7B9E378057259A,SHA256=26E41EC701A473A2C7253430F526DD37D52EF6FAF58F514FB15C014CF40A3CE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:58.063{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69345837B8E670E06F287B3C6B7C2C6,SHA256=90BB5BA20BBB6EE58972265CEF76ED3ECFA0C288F63229D56D47204E20DA1C0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:59.678{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8B77CF11D80920C154F3C5D2B8AE30,SHA256=27104F0FCEF7F3961B1ACDDB46523D062C9EB4960C3D0E933C99DA196637A011,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:15:59.063{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EEF1EA2D27B931B41848110DAA16A8,SHA256=26E4C0183B5AF456284C3071111693C143A2D4054313A391E4942C4C5A5D7442,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A150-618E-4C42-01000000CA01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A150-618E-4C42-01000000CA01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.912{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A150-618E-4C42-01000000CA01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.897{B81B27B7-A150-618E-4C42-01000000CA01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.693{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA3CC90A9FBF3DCAB4A5A9745C282A5,SHA256=8ED14E4792BC03D36E1E2FD3C876CAF10B2F54C59838461BA433822887F41C74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:00.297{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8905CFB44143264AF7A0C99AEB5EDB23,SHA256=B6483EE39A18E9BBD8C92BB59BBB7FC8434C6F4BFE13C070B72102C9D4856AAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.365{B81B27B7-A150-618E-4B42-01000000CA01}380108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A150-618E-4B42-01000000CA01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A150-618E-4B42-01000000CA01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.225{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A150-618E-4B42-01000000CA01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.210{B81B27B7-A150-618E-4B42-01000000CA01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:00.053{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EBA279152E24E73C0DB2D5688D897688,SHA256=DF2AA45686FAA00374BC258B9551D4AA0C91AAA56C228A08BC4B44F7124BD9CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.868{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405BB7E5CD9020DD357CB3BDE49624DA,SHA256=342EFBB7890F711BC839B43A9BA1A55A3D892384D722145B16249A7146554889,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:09.533{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61415-false10.0.1.12-8000- 23542300x8000000000000000107401238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:01.313{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5B5A338D64F5C2077418F798D8B85A,SHA256=D502ED00FA1A72E293EB99645475FE0440EE12A56A17B06D74258B7A7A253451,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A151-618E-4D42-01000000CA01}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A151-618E-4D42-01000000CA01}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.602{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A151-618E-4D42-01000000CA01}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.587{B81B27B7-A151-618E-4D42-01000000CA01}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.211{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=861CE61A987F600F8413F0D0A93A214A,SHA256=CCA2D8C2A0BA1BBC30846D4E8CE5433EAC82A4977D3AB4DEA97DF975818AC461,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:01.100{B81B27B7-A150-618E-4C42-01000000CA01}37403000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:01.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=012A91B6964361C86C8E78F5168DC6A8,SHA256=F7F20DC0AB1C9138FE1705EB2C2AAF436B891FDAEEBC36F8B1F3A25E9B4F2130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:01.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51421521F881455532CF9009E5000BF0,SHA256=60C25853C2F091A2E18DDF44D6DBD9310E3A63C41E8472EFFCE5B220385B8369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:02.959{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FECA834D05305790A5A53A3BF6AA9826,SHA256=A2293E53F21EA0AFEBEAF983A231BD4CDE0E14304157772616A18BC2AB6914B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:02.360{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=012A91B6964361C86C8E78F5168DC6A8,SHA256=F7F20DC0AB1C9138FE1705EB2C2AAF436B891FDAEEBC36F8B1F3A25E9B4F2130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:02.344{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F30AEE601494E541D5900EB4279A3B,SHA256=DA1DEAD11FBF0F2FA9F93846C82CCEAA15EA88776B4CB8C162F8B05D4B46F48B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:41.567{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62786-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:02.631{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF32906DF9776167C1D3A4886B37E2A2,SHA256=1DA1B41976475DB682EE55751F631AF380587F8F10E582566BDE742E3170B326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:03.962{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635AA6EBA4F708352E95200AD9963E82,SHA256=3F1ACCB20CA53A09A0AC568EEB5290E754EE7CD83F79CC92011B94E068C46DB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:03.344{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A9E9BEDFC6DF12D3366941B6224DCF,SHA256=4634ED5B946FB428BD0D3D64242E38EE18447CCD09B230F0F957901DBF251D63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.641{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:04.500{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A20C0540CBAC067346A1F7ECB26A4A,SHA256=882DE90B4907C6F926FD9D04148AFBB7C86C48297C9BF41DA6890A3AA02AFCA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:05.938{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:05.641{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CD582E2CE8FC5671F49615B48E5562,SHA256=B1CC6AFB60F2C6CE9B9520C760367070FB6BD793DC406020DE478AA5A2A29131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000055902522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:16:05.790{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7e8-0xfa07abaa) 23542300x800000000000000055902521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:05.181{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3C78813CE987DF179EEC28AD892EE1,SHA256=1D77BF6F6F869D9F9A6BA3D2A5DB8409B686914731EFF7504FAD1CFCE6AC57C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:06.654{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA1893611862A9CC65037E6AEC6FCBB,SHA256=A10A94EA7E82C4E2A67B8EC229B09ED0DEA036A9A1BF516B5FB872387D10AE0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:06.337{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25CB03EB40511F4FE07AE00F4A874F6,SHA256=27954FFD7F52702C5A136E07D0D6DAE7C57D9438D46DC7BEE7DC2D27DF367414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:06.188{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F283E961ED649F45F0A13593B6D0C5EC,SHA256=1CD512BE19F1B9A4C9AD99EB5827D4D4FE027FC0CF550C728242E7917346D816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:15.362{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61418-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107401278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:15.362{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61418-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107401277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:15.330{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61417-false10.0.1.12-8089- 354300x8000000000000000107401276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:14.596{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61416-false10.0.1.12-8000- 23542300x8000000000000000107401275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:07.654{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9BDC98F21BB1DCAAAB691612238592,SHA256=6185F2030CD6DA431A35E414B6EED7C2BB163F33F247C31F1DCA6D2AD93DECA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:46.664{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62787-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:07.347{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3524E7129D25BDC73633DA1AE20F5A,SHA256=545A4C97788AA37885574E45EAB1BEF499250BF8A8A13314B5FD12A1E2AE3776,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:07.373{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06572DAC76B77DF1DAB81F5E1A7A03EE,SHA256=7D8FBC0BC9D27C9D361E147C0BAA2CD21EE1DA5489FE523B6E2A646612ACB379,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:08.810{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C03A35899A151395CCFE8B28E95D3C1,SHA256=DB540BB6FD87BB2DD3A5440426A81D43C44465A2F7AF7525259A9A5CD79B09A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:08.378{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B7FBF2E62B4E3A9F52D77F593C5562,SHA256=5B5723EDC57C0DB1A28B5336C8A29D6D014263B53478CA2E09B7435CD1FB4312,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:09.826{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7E2B126D305987CCA1F43EB7C95FC2,SHA256=401B9CA499862CC7BF8EE307A4046F5E8C7242B87E5507A06BFCFA861E4EB0F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:09.425{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28812F9EC1510F0E61EF084A35112C6B,SHA256=BE323A1928D838CCA45B2F62BA05D491129C34134742A77CD0CF128535377B9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:10.919{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FCDC05964CF93808654DE8E30FC19C,SHA256=5B123DD66DDDB98F3D7BD666A68D34DE0D1AB22C12FE60E173CD16364C30E5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:10.456{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E400AE20F37A21363736BEDC765AE7,SHA256=8090D35F1C59B413F766A69CC794A76DD5D16C53F69E17E80FBF3B869586EB22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:11.919{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6202BDB187D0D771E7BDC2ECB6F71664,SHA256=F9DFFFAFD61DA57029C226E471AC75364184B6B74392F4D8122DDB93EA299A09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:11.487{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCE4BFEE92A2B86321434851F266D5A,SHA256=E7CEB09D646D2D21CA2356C16A5A428DD104844EF19000569335A38F01C73A5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:12.951{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB7116528497D0CBE1F911DB82FB1A5,SHA256=490D5A600FBE76A63DC7F90D71BD62A857251E13AF5089B14E5120D1D45FD91F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:12.519{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCC960C5E3A00A105817A1F09A13E05,SHA256=2097207E05BB5CB3BF92912DD96F1BE83AFE3ECD291AE34FDD631D51D8B027B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.515{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61419-false10.0.1.12-8000- 23542300x8000000000000000107401284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:12.341{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F3F9172818C35869EB92F39C7A740B5,SHA256=8E503D66D4F9ADE7C47595EBD864B085CCAA117573CEDD0F5BBDA4319D721EBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:13.951{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB508645E721EF55B4A92955A4AB9D62,SHA256=C4D2EC20F68CA00E64A3AAB4A8F41268440C1B5F07EB6098DB3DDE59440FCE5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:13.550{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21F3D1B83088E574F71C48325A0D5F3,SHA256=CE7242107C1CF368EE76F95B242588163438742F9926C34CEC74B721F26FD87E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:51.751{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62788-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:14.566{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BE4985183E6EA5F2D8BBDA522F9026,SHA256=3A0416C224ACB1F7CED57F70577F449E9E85F91B4D22717DC68D31F5AA4A5B34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:15.597{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CB44A40581D2D2EB9DA812F5430500,SHA256=EB809E2063777CE0D2F15B17125C927E32B171606068A9028D62A14DBD6B1F75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:15.076{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14983648FF1B9CCAC6CAA97F7A6AEC9,SHA256=06A822D3B2AA8D422CB6B7CF71CE7C068EE742A4E95A3B41096FBA1CA0A00505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:16.831{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5618466D604034449B75C3751E3C92CB,SHA256=9DAC9836B2E01BAF179EFBF770D471729607593229EDB6248A46982A61AA02B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:16.091{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F12AB0122EAC37CFAFDBDA2030432E4,SHA256=109326DBE40685287B43BDCD285FB3D1B8FE01AF395FD306905D8740012C422D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:17.909{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A757C5018AF962B9562F20ACAB37B3F,SHA256=D2C8C0377B6A386559E67024C4E937AAB6AEFB9FDA6F830A0E78595A20C26E6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:17.091{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBAB216ECA13CBFFE5E6E49760DA7E7,SHA256=20B5FF1A40CC07011147ADDFDC3B9FF6D5653C53A4ECA39DBC60ACF631E0CA25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:18.925{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447B574ADDA1EFEEB17453EB216FB664,SHA256=0B7F8A3D20531F0B2C6CB6344F54C852A0FA9F0A87C0266AA9E636F1542C8C12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:26.546{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61420-false10.0.1.12-8000- 23542300x8000000000000000107401293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:18.138{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D6C8F511603DD1CD8F2E4457662D44,SHA256=411FB24B57D08E7CBCA41B7E4636A987CBD15EE83D8AAF3FC95936208764CB68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:18.138{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAEBB497C3B3490553972B228478D08C,SHA256=469283146E82D14F9331A2C63913389CE27648AAF9639AE7BD797F45A86D1DC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:18.091{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13CF9F849BD932DFC1F4663284856025,SHA256=2E59C8E9548DC8E0109F7A8F5C9DE7A075B22D65A7251D8E4820EA39D5AC51BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.919{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.919{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.810{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\GlobCollationHost.dll10.0.14393.4169 (rs1_release.210107-1130)GlobCollationHostMicrosoft® Windows® Operating SystemMicrosoft CorporationGlobCollationHost.dllMD5=FE882365D86F6E44EFC87EC7B5254390,SHA256=8198641FDE94EE03D9CA57919602D9B1AD260073857067E2B299F0CF2550936C,IMPHASH=C03E8C7B87D41F339890F29E06DD9229trueMicrosoft WindowsValid 10341000x8000000000000000107401352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.826{3BF36828-9799-6185-1400-00000000CC01}10564724C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.732{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.732{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.732{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.732{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.716{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18361004C4CDDCCEE341E8D993EDF423,SHA256=8E34A0496A7836ACAFD2F9E77A917D9BC77F1657732E5F5AE31A31A86C123FC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.685{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Cortana.ProxyStub.dll10.0.14393.0 (rs1_release.160715-1616)Windows.Cortana.ProxyStubMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Cortana.ProxyStub.dllMD5=7806FE9D293F066147ED111F7945D18A,SHA256=2C05FEC5EDDFE93E4DE67FA816B5D52273F78F71FCFA53C39CAE2B9B925CA25F,IMPHASH=18518A03148257ED1E3E823BF427D938trueMicrosoft WindowsValid 10341000x8000000000000000107401345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.685{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.685{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000107401343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.669{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000107401342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.669{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000107401341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.669{3BF36828-97A9-6185-3100-00000000CC01}21961808C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000107401340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.669{3BF36828-97A9-6185-3100-00000000CC01}21961808C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000107401339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.669{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}9044764C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}9044764C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}9044764C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}9044764C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}9044764C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}9044764C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055902538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:15:57.704{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62789-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000107401328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0D00-00000000CC01}904584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-957E-618E-790F-01000000CC01}58283572C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-957E-618E-790F-01000000CC01}58283572C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.654{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.638{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.638{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:19.091{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38ACFD57DBE9D2DB1206F70EB7ACA0BF,SHA256=CD44CF73CBC41EEAEBC72AEEB0FA57297210BDD12FAA06CB1473E6C855E0FB97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.966{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x8000000000000000107401368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.951{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 10341000x8000000000000000107401367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.951{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000107401366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.951{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x8000000000000000107401365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.951{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 10341000x8000000000000000107401364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.935{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.935{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.935{3BF36828-957E-618E-790F-01000000CC01}58282856C:\Windows\explorer.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.935{3BF36828-957E-618E-790F-01000000CC01}58282856C:\Windows\explorer.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.935{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ExecModelClient.dll10.0.14393.4169 (rs1_release.210107-1130)ExecModelClientMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelClient.dllMD5=178BCB2B937C94CA144C326FD678A322,SHA256=932D0710FD612EDBE2D0433ABE294AD17D23CB8D43DE7F4CD8E01C58D279C1CE,IMPHASH=B1099E1B098B6F4C7DC6D071206DFC70trueMicrosoft WindowsValid 10341000x8000000000000000107401359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.935{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.935{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.607{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=71A8AFA9A7EE7475E302156AD33811AA,SHA256=AB6B5230CAA7B157F5385559D9F5DA8AE65DF4FE35344C1CB646B7B55CF63E8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.341{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB1B8249C99C0A126EE4040F05313BA,SHA256=ECA51F0EB5994B57D81F4948A7DF07E18D6B71A21B8F32C376AB70B341FC1512,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:20.159{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858E0A64EED1278B2A80E2010DEB4A7D,SHA256=985B133410E321DF69F35AE62892874CBA7B52D902EC67DA7E058D4FAEED8E71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.300{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.175{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7460CAFA0FADED44DCB89DDC658EB4EC,SHA256=5009E8A065A8EBABB0B311769689C137952257B6261F90500C20E63B9DDAD938,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.980{3BF36828-957F-618E-7B0F-01000000CC01}2096ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2OZ2JCZ6\microsoft.windows[1].xmlMD5=EACCA7E17DBDCC64F70753AC6F734FBE,SHA256=4D9E4615C0358F53406F225A6D9797475CF5ACC3CE7FC11406A0E7E0C0E16A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.965{3BF36828-97A9-6185-3100-00000000CC01}21961808C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000107401507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.965{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.965{3BF36828-97A9-6185-3100-00000000CC01}21961808C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000107401505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.965{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.965{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 734700x8000000000000000107401503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.871{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ShellCommonCommonProxyStub.dll10.0.14393.0 (rs1_release.160715-1616)ShellCommon Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationShellCommonCommonProxyStub.dllMD5=0CA5821006FA1E1D061EFA860A1772C5,SHA256=20BDE84FC0CF0EC937EBF3F3269E3722008FD36181CC8433B47B9C310B147DAE,IMPHASH=F3F9319CB3B5244E10D1E0BEFC65F9D6trueMicrosoft WindowsValid 734700x8000000000000000107401502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.871{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ShellCommonCommonProxyStub.dll10.0.14393.0 (rs1_release.160715-1616)ShellCommon Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationShellCommonCommonProxyStub.dllMD5=0CA5821006FA1E1D061EFA860A1772C5,SHA256=20BDE84FC0CF0EC937EBF3F3269E3722008FD36181CC8433B47B9C310B147DAE,IMPHASH=F3F9319CB3B5244E10D1E0BEFC65F9D6trueMicrosoft WindowsValid 734700x8000000000000000107401501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 10341000x8000000000000000107401500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.918{3BF36828-97CC-6185-8400-00000000CC01}36644340C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000107401499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.918{3BF36828-97CC-6185-8400-00000000CC01}36644340C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000107401498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.918{3BF36828-97CC-6185-8400-00000000CC01}36641852C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.918{3BF36828-97CC-6185-8400-00000000CC01}36641852C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x8000000000000000107401496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=2D8AE33BC433EFE81FB9F5B126B4A0A9,SHA256=5BC4D64A18925CFB39C898E954BC24473BCCFDA11E31A8FD7E01F8F888BD6B76,IMPHASH=115EB10C88C8AF50DD182CFA7531BA0CtrueMicrosoft WindowsValid 734700x8000000000000000107401495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.918{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\networkexplorer.dll10.0.14393.0 (rs1_release.160715-1616)Network ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkExplorer.DLLMD5=889484BE2979D3C693D194BF4E5F2C82,SHA256=BC046600D8B8DA1652AD584DFAC4D799D4E772BFAF833C50B8F2F91D7D65D6B6,IMPHASH=82DF5355ECE040AB2EB1CF3A3223A564trueMicrosoft WindowsValid 734700x8000000000000000107401494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x8000000000000000107401493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Program Files\Common Files\System\Ole DB\oledb32.dll10.0.14393.4169 (rs1_release.210107-1130)OLE DB Core ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationoledb32.dllMD5=1C9084B11668B0E8E83D7887BC2BDA33,SHA256=A2FF5347549ECCC9804F180C34D465AFA55027B3B0F614A2666934FA2963F436,IMPHASH=A09B8303CAADE20549BE153591374A00trueMicrosoft WindowsValid 734700x8000000000000000107401492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.902{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9C,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 23542300x8000000000000000107401491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.902{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA6617F0ABD287614388443EE381D97,SHA256=46AA828618F6F6B3EC2BE197FC91FC1BA70B1F07655EA6D6D116C46645760093,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.902{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 10341000x8000000000000000107401489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.902{3BF36828-97CC-6185-8400-00000000CC01}36644340C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 734700x8000000000000000107401488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.902{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 10341000x8000000000000000107401487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.886{3BF36828-97CC-6185-8400-00000000CC01}36644340C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 734700x8000000000000000107401486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.886{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000107401485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.886{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinui.dll10.0.14393.4169 (rs1_release.210107-1130)TWINUIMicrosoft® Windows® Operating SystemMicrosoft CorporationTWINUI.dllMD5=7F1F1B63C8AA1D6EA1057589ECF0AC12,SHA256=4E20B33E2E951359C9FEBD1EE66A2B24E5BAACB0C6CFF5E3543CAAB00C99AA91,IMPHASH=B98A56301D4EF217B14C24D92F13B2B4trueMicrosoft WindowsValid 734700x8000000000000000107401484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.793{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\tquery.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Tripoli QueryWindows® SearchMicrosoft CorporationTQUERY.dllMD5=B9DF37B30C068E2B5A23D72BAC55FAD0,SHA256=37DD06EEF20425B3EDD1ADECC701DEE052F16CA16DE14F62057612460E5D5F21,IMPHASH=B2D5EB79B3B6EAFD7FE4708FBD5F0703trueMicrosoft WindowsValid 10341000x8000000000000000107401483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.886{3BF36828-97CC-6185-8400-00000000CC01}36645740C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000107401482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.886{3BF36828-97CC-6185-8400-00000000CC01}36645740C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.886{3BF36828-97CC-6185-8400-00000000CC01}36645740C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.886{3BF36828-97CC-6185-8400-00000000CC01}36645740C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.871{3BF36828-97CC-6185-8400-00000000CC01}36641852C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.871{3BF36828-97CC-6185-8400-00000000CC01}36641852C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.871{3BF36828-97CC-6185-8400-00000000CC01}36641852C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 734700x8000000000000000107401476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 734700x8000000000000000107401473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.732{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 23542300x8000000000000000107401472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79A7B83FF2F8BC1354F23959BB1F7F8,SHA256=D8BFB60B97AB5795B16FE9D2CB1AC16E953CC3911B97CA9E22C7C33DC42113A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-97CC-6185-8400-00000000CC01}36641852C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-9799-6185-1600-00000000CC01}12724184C:\Windows\system32\svchost.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-97CC-6185-8400-00000000CC01}36641852C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000107401468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-9799-6185-1600-00000000CC01}12721324C:\Windows\system32\svchost.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000107401465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-97CC-6185-8400-00000000CC01}36646100C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.840{3BF36828-97CC-6185-8400-00000000CC01}36646100C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 734700x8000000000000000107401463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000107401462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000107401461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107401457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000107401456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000107401454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.708{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.ProxyStub.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"CortanaApi.ProxyStub.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"CortanaApi.ProxyStub.DYNLINK"MD5=D52CF10DE320A1C64B0A342159A2F86E,SHA256=AD9848E33DA0B44F41BBF55236DE92F87F7EDBF67542C1E97B1C7BD897A64F0E,IMPHASH=667008095DFCABB963146EDE86598EEFtrueMicrosoft WindowsValid 734700x8000000000000000107401451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000107401447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000107401446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.824{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.809{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000107401442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.809{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.809{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.654{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862,IMPHASH=53CA7FAF1CEDFB0EC8CCD763B974D4A1trueMicrosoft WindowsValid 734700x8000000000000000107401439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.793{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.4169 (rs1_release.210107-1130)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=330E02FA330C93B93B477AA2F88C8A3A,SHA256=958A6977B820D04D94C8FD85C23CC62D77F0498BB59A648744E8F43704FD7F26,IMPHASH=870079407DAAD548AC5B3F417EEBB243trueMicrosoft WindowsValid 734700x8000000000000000107401438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.654{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06A,IMPHASH=A28EA9ED587BD4511849B7BB44021022trueMicrosoft WindowsValid 734700x8000000000000000107401437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.793{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 10341000x8000000000000000107401436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.777{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.777{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.761{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.761{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.728{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.728{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x8000000000000000107401430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.728{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.728{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.728{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 10341000x8000000000000000107401427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.720{3BF36828-9799-6185-1600-00000000CC01}12724184C:\Windows\system32\svchost.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.720{3BF36828-9799-6185-1600-00000000CC01}12721324C:\Windows\system32\svchost.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.720{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000107401424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.720{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729,IMPHASH=A39738A99E764D3F4E439E2498C99B04trueMicrosoft WindowsValid 734700x8000000000000000107401423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.591{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.UI.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=AA343736DAADD1B736E5BBBD3EC5E5CC,SHA256=BA3CC83A7A4E9BA542558909CDF413FB6B172ECC020A9DBFEFC49F9BB17795E9,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.712{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000107401421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.712{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.708{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000107401419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.704{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.701{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.497{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.Web.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=05A0DA19CDE8CD78408BCD0699E4DA41,SHA256=EFD64061CF00FFBED5640BF91C49FA989BECF7BF64DC945B380F53CC7ECBF59D,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.701{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.701{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107401414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.341{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.System.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=068414C1DA971123D1E9929366E84587,SHA256=0CECAFDF74C26D56E1C2830A2DAF93F03F97A92963CAFAA7195BAA26A1C3F923,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.685{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000107401412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.341{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.winmd-----MD5=C493EDC306102A26A24DC9DA32FE22F3,SHA256=98BC3BCD6BA112108AFD2A0BE59F890B5DB25AB6852EB5C1BDCC71BE9C1752A2,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.341{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.Storage.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=01B5B26ECF5D00AA5EFF8F338DB9D3BF,SHA256=7F2E662062C97A685B26DAB91C1E77715CC68241343367B4F9A86FA23B46D9C2,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107401410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000107401401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-97C9-6185-7D00-00000000CC01}49685004C:\Windows\system32\csrss.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000107401400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.326{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Tips.winmd-----MD5=3C80560C30AD2BE58A49A785BFCC0F7C,SHA256=1CE0A7BDD02EB08984D50A0D9D343A49E4C12F77F59494896E3A1667D70F6037,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000107401395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.669{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.326{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.Security.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=28D0A50E6F86302879C69F355C457E03,SHA256=3985EE10F6B61B867D891B3113FE660D38FC66494F895CF04EB24828E505A31E,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.326{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.Foundation.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=BFD9E7042DFFEB1514B269AD48EC2EFA,SHA256=AA96696B3BF450DF4473A2DAD21ACF2BCE5673BF02361B3AFBB302D851A3BDEF,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x8000000000000000107401391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.654{3BF36828-957F-618E-7B0F-01000000CC01}2096ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2OZ2JCZ6\microsoft.windows[1].xmlMD5=0B4F39F009D5D3EBAEB16F3832464153,SHA256=464B1032495A60224442ABAE0319CA8D075B9280BB991E6C384792E6464EFF90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.326{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Search.winmd-----MD5=7A52B044D782D6D124FBCFC0CEBC33A0,SHA256=8B88AF514367319CE7642A0BFFC3775F147ECEC79B4BFB5A7A5E9403C1A99089,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107401389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.654{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000107401388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.654{3BF36828-97CC-6185-8400-00000000CC01}36644608C:\Windows\System32\RuntimeBroker.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 734700x8000000000000000107401387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.326{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Internal.Search.winmd-----MD5=11841D432F863B175E48F514DCC39523,SHA256=807938C694BEF66ACCB7C0333C00D07AD4A0FF88A3097A06F578371DD5334EBC,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.326{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\rometadata.dll4.6.1586.0 built by: NETFXREL2Microsoft MetaData LibraryMicrosoft® .NET FrameworkMicrosoft CorporationRoMetadata.dllMD5=1D59FBE55DAA1BA99EF01B2F7DFBBA06,SHA256=9DBC58AF89D741C05979B727FA5EF914674A05FE97562E6CD714AE8DAF49160E,IMPHASH=11B8DBACAC595313B3296107F62648E7trueMicrosoft CorporationValid 734700x8000000000000000107401385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.294{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x8000000000000000107401384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.294{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\profext.dll10.0.14393.4283 (rs1_release.210303-1802)profextMicrosoft® Windows® Operating SystemMicrosoft Corporationprofext.dllMD5=3490D2800E46CE473BEFAF747D85F2D0,SHA256=ABE7C0822FB81A5B609F4F02070BCE6CE8CF51CAE49503F23B5AB92C811EF961,IMPHASH=82DBC5DF78A34C977A610912E2732607trueMicrosoft WindowsValid 734700x8000000000000000107401383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.294{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000107401382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.294{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\wininet.dll11.00.14393.4402 (rs1_release.210426-1725)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=27D3D531D0EA9B3EE7F54C4DE5A15946,SHA256=05254BA3332E887C9F97D42406A7C2CEE4DF405ECAF39391968FD472CC4F1F89,IMPHASH=B3ABC7D59C2B1ACAEECA63C53B0AAC4BtrueMicrosoft WindowsValid 734700x8000000000000000107401381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.247{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msimtf.dll10.0.14393.0 (rs1_release.160715-1616)Active IMM Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSIMTF.DLLMD5=BAAE2C3547EB0A28AAD2C1237732BAE1,SHA256=314348DB567C72EE00B14C8094818AA3278037DB0490487509FB38B0E2222509,IMPHASH=6F06E66C95EF188EDA6C1FD34DD15FB4trueMicrosoft WindowsValid 734700x8000000000000000107401380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.232{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\srpapi.dll10.0.14393.4350 (rs1_release.210407-2154)SRP APIs DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsrpapi.dllMD5=6EE744B7052F6DE1C9870F9C97FDB42F,SHA256=6FE549AAB3A751D32F4FE7A1492BE85B4FD4AD718A9561CBAB6E82B97BCFDD40,IMPHASH=8C07B81A4B319D612B954B42DF3C1D74trueMicrosoft WindowsValid 734700x8000000000000000107401379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.232{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Chakra.dll11.00.14393.4169 (rs1_release.210107-1130)Microsoft ® Chakra (Private)Internet ExplorerMicrosoft Corporationchakra.dllMD5=460B16F474BC84721FACC52FDAF03A78,SHA256=2A6D2F3989DD1B62DF39667D98B068DD550C38D7DB9007869795372C50B6785B,IMPHASH=56CBAE8EB3D7528A31E2436C1748945DtrueMicrosoft WindowsValid 734700x8000000000000000107401378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.154{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046,IMPHASH=563B6F147961D943E0261E05EAD94B56trueMicrosoft WindowsValid 734700x8000000000000000107401377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.154{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\edgehtml.dll11.00.14393.4283 (rs1_release.210303-1802)Microsoft Edge Web PlatformMicrosoft Edge Web PlatformMicrosoft CorporationEDGEHTML.DLLMD5=C7E5ED81EEE568646AAE29122A8E5986,SHA256=24B8F6966E5EA1CDDAFD6532E5685F4BE918329B054991DB190BF0A65E80D3E9,IMPHASH=8F13197AAE4ADB5C15C6FC595AC9BB37trueMicrosoft WindowsValid 23542300x8000000000000000107401376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.341{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9357448102FF149C360E27128AF0AC56,SHA256=85ABC30B3870E38DA3373AADA28829E4AB53231044FFEA91568FE3C2B11BB740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.310{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000107401374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.310{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x8000000000000000107401373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.294{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000107401372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:21.294{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x8000000000000000107401371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.951{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x8000000000000000107401370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:20.951{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000107401581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000107401580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Cortana.Persona.dll10.0.14393.4169 (rs1_release.210107-1130)Cortana.PersonaMicrosoft® Windows® Operating SystemMicrosoft CorporationCortana.Persona.dllMD5=C2700BE8F4B0B2FABE2197E30C854225,SHA256=2D0414C38ED278779C49E9151A68D03C8791457DA34B93846D38921274BC12E7,IMPHASH=22A0992389FD6A6A32421DFAD79D27DCtrueMicrosoft WindowsValid 734700x8000000000000000107401579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.830{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1E,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x8000000000000000107401578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exeC:\Windows\System32\Geolocation.dll10.0.14393.4169 (rs1_release.210107-1130)Geolocation Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationGeolocation.dllMD5=76EB0106BA6BF5ACC0AA57E5DBD2A534,SHA256=AA5EE7BE0C7167132C71ABE97CC418DF55144F5DFC8ABD90A130EAAF95DC3B2A,IMPHASH=1CB15BDFFD09BD7E483469F86B5CAF02trueMicrosoft WindowsValid 734700x8000000000000000107401577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x8000000000000000107401576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x8000000000000000107401575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 23542300x800000000000000055902570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:22.487{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FBF8535AEF378BC1465DF460736565,SHA256=4FB24B0BC9926F4300C949769A6798DE6C0970EBB56F22FAA5D5AF5371489B07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000107401573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x8000000000000000107401572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1E,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x8000000000000000107401571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000107401570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82trueMicrosoft WindowsValid 734700x8000000000000000107401569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.814{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exeC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1F,IMPHASH=518BBC26E9BA87459E80712401FEE077trueMicrosoft WindowsValid 734700x8000000000000000107401568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000107401567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 734700x8000000000000000107401565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107401559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 734700x8000000000000000107401554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107401552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.798{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107401549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-957E-618E-790F-01000000CC01}58285188C:\Windows\explorer.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-957E-618E-790F-01000000CC01}58285188C:\Windows\explorer.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-957E-618E-790F-01000000CC01}58282564C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-97CC-6185-8700-00000000CC01}22164832C:\Windows\system32\taskhostw.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.783{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.767{3BF36828-957E-618E-790F-01000000CC01}58281400C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c97|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1721db 154100x8000000000000000107401536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.776{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\notepad.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 10341000x8000000000000000107401535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.752{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.752{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.752{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000107401532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.752{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000107401531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.752{3BF36828-957E-618E-790F-01000000CC01}5828624C:\Windows\explorer.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000107401530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.752{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.752{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.377{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D6C8F511603DD1CD8F2E4457662D44,SHA256=411FB24B57D08E7CBCA41B7E4636A987CBD15EE83D8AAF3FC95936208764CB68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.361{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351701BD05F0EA3C0B356F3AB094EBDC,SHA256=99723756002DF5DC8762B0D002DBAB49B766F9BF9278D429B76F8263004D1C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E810-01000000CC01}5764C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A165-618E-E710-01000000CC01}3772C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.098{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57579D62F48CB9D0DEC184C56A6C7CD7,SHA256=734D72F379E884A900197E0A5B2A595B0124A800BC12D33A5472E5CB213E15D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.048{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.048{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.033{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.033{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.033{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:22.033{3BF36828-97CC-6185-8500-00000000CC01}36601372C:\Windows\system32\sihost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.783{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8A40CCD3FA3ACF4B350E442FDA50CB7,SHA256=44912ABA621F76B83DA73BC888AB58E35704E4CF8AD53D919C423432FE65C699,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.722{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9D52E6FF74F994F316B52EE707F9EE,SHA256=E49ED5EB6E621EFF684DA8332DF0775FD81F5A154B01EE1D5067A429E2A31275,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:23.519{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF27AED40C2623032A7BFE6D579C50F,SHA256=9D1A7B0EF33DF01B349C82209B352FADCEE04976F1E62957E7A60F621EBFBE06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.220{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.220{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.205{3BF36828-97CC-6185-8700-00000000CC01}22164832C:\Windows\system32\taskhostw.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.205{3BF36828-97CC-6185-8700-00000000CC01}22164832C:\Windows\system32\taskhostw.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.205{3BF36828-957E-618E-790F-01000000CC01}5828136C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\explorer.exe+1e118|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.205{3BF36828-957E-618E-790F-01000000CC01}5828136C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\explorer.exe+1e118|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.189{3BF36828-957E-618E-790F-01000000CC01}5828136C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.189{3BF36828-957E-618E-790F-01000000CC01}5828136C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.189{3BF36828-957E-618E-790F-01000000CC01}5828136C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.189{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.189{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.189{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\efswrt.dll10.0.14393.4169 (rs1_release.210107-1130)Storage Protection Windows Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationefswrt.dllMD5=3B52E3346B479665AF22772F7A8A5DA5,SHA256=8844843BDEF197239497BDAEAAFE821B7C28D5B6E13DCF4F6F0B8B3A233EF813,IMPHASH=DB722C59D528E4A03ECF3B136E3B2A72trueMicrosoft WindowsValid 10341000x8000000000000000107401610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 10341000x8000000000000000107401607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 10341000x8000000000000000107401605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.173{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000107401601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.142{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x8000000000000000107401600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.158{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000107401599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.127{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000107401598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.142{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x8000000000000000107401597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.127{3BF36828-9799-6185-1600-00000000CC01}12724184C:\Windows\system32\svchost.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.127{3BF36828-9799-6185-1600-00000000CC01}12721324C:\Windows\system32\svchost.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.127{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000107401594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.127{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000107401593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.095{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000107401592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.095{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 23542300x8000000000000000107401591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.095{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1911636E5617088B057897621B04918,SHA256=F6A39EB7307EAB9702EA9688BA2E7BC36DE0BBFADFA37F9CDF23C761F03808CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.080{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\feclient.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT File Encryption Client InterfacesMicrosoft® Windows® Operating SystemMicrosoft CorporationFECLIENT.DLLMD5=AFCC2CA506D4A09F7D8B79BBF7D2CF1E,SHA256=6616D794EC0DE4CE7A99451AA5B299CEE213618D8F0854D1D6987862472FAD6B,IMPHASH=F81B72A18C4A8A86D4B59944671E95CAtrueMicrosoft WindowsValid 734700x8000000000000000107401589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.080{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000107401588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.080{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.080{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107401586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.080{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.080{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000107401584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.064{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000107401583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.017{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000107401582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:23.002{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\System32\notepad.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 23542300x8000000000000000107401626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:24.752{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF3C05A91CB7855A9A563AC04BBCAA0,SHA256=17C4DB8A0F744DF40CDB37534B39F09ED7F0E8727FB9B24D768796F46F9BFA15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:24.659{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183E3985CD7A86A59EE98B07A566A72F,SHA256=E14531E358649CFB246528AA1687EDB79827108DD5B3D0BDF18BBC3B52862B72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:24.628{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:25.767{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2D2BC05200687A1AA7FFF3FD7D527A,SHA256=1F201B64C7603A42E55480118F8B7AAF45397C062306157C8D0DB4F3B1262F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:25.800{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4BDF2796D1D1BD520EE56CA7C4216B,SHA256=7E2123EC576F23DDD65007676B3261431E0087CDF145ADF6336D5D0A1E6E0CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:32.488{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61421-false10.0.1.12-8000- 354300x800000000000000055902574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:03.767{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62790-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:26.805{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540DF16895E614CC284FD418870D7A64,SHA256=5AB3913ECCBEF0A784218CF13C99012F4F59744DCBD817532BCB0AC3A4A2696F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:26.924{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C47384B8ECCD2A8DD0B92DB8716054,SHA256=8592F7D955CE5C25453948413865041FC2BC46AFCD9EA5C5F785236DE53F4DF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:26.471{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:26.471{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:26.471{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:26.471{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x800000000000000055902576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:05.157{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62791-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055902578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:27.836{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446CF98D2FDCFB9418090A3A1B9B561F,SHA256=21F914F363884E1BAC571A2DF5F19F117A984DC712A232E523B24AB14BBDA8F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:27.924{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B06C66B7D67B45C007B3E5013BC810,SHA256=17C7DFBBC15DB241DE922ECCB349A38354681D29C4022A6652B1D520B95C9268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:27.377{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF2D9651352765F5036F3F3FCF2B7EA,SHA256=2E129F9DBA308B18782CB786C169401B2212EBCC8EF4D47399BF771475B224C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.940{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2808DB9877CAE8E791BA88EE2BA4C745,SHA256=1FC264F52D5C8068CD7DD26B7E1AF95C843F260682167D0673D430A2C3234893,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:28.898{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923FAFC05C945AF5809124C399A72FF5,SHA256=D6D307B5F413D9DC7D9813EEBDE1F742C10ECAA7D1DD47700B6259FC5F11F8CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.768{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED681DB207653C1A61694AA06FEA4AEF,SHA256=E06F276D5BC7A00153006AA24CD658EAB11558E51A2E63757D0BD1AD957569F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.127{3BF36828-9799-6185-0C00-00000000CC01}8444720C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.127{3BF36828-9799-6185-0C00-00000000CC01}8444720C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.127{3BF36828-9799-6185-0C00-00000000CC01}8444720C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.127{3BF36828-9799-6185-0C00-00000000CC01}8444720C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.127{3BF36828-9799-6185-0C00-00000000CC01}8444720C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.127{3BF36828-97CC-6185-8500-00000000CC01}36601372C:\Windows\system32\sihost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.080{3BF36828-9799-6185-0C00-00000000CC01}8444720C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.080{3BF36828-9799-6185-0C00-00000000CC01}8444720C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000107401636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:28.080{3BF36828-9799-6185-0C00-00000000CC01}8444720C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000055902580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:29.930{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D164CE287258EBC98968850B4F909693,SHA256=CA32A90CED7CB3DE142A9E551B82100C00CBA6430A12A669916DE3F9EE895561,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:29.940{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389597F5D4042B4135DE4712E62529CF,SHA256=FFF10E795350D5C8DB4392DE9AFA5AA89539D68429CAC434E4CD7B7A8220EDFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:30.961{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB145256401574A9FEBB5A84C5E9F282,SHA256=74813DF88E9ADD571045D3D4CABA7A02705E5738E3031ECFFD432BB55515FC14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:30.955{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5921EE794D3ED8C68615D9C08D077FC,SHA256=7B6D21AF0C945980F82DFFFCC29C8A380429D9949DDCCA2763D02D801528AD1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:09.662{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62792-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107401649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:30.237{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA1F276DCDAF7F965D7CAE4871BB766,SHA256=EDE9013A3D5DEDA0E8CCD49DD89352D6102D1D1C24306722C00D048F00C815E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:38.489{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61422-false10.0.1.12-8000- 23542300x800000000000000055902583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:31.977{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD5B67DE035B8B2AEAE450E8C86506A,SHA256=64A873BF70338288CE32597057F6F9A81DB2B607EC6EAAC92345537AE73BADD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:31.987{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4D0A0689546C298D54F1838DD29D56,SHA256=952D1BE49865E2F9B9560D5FC659E46F9BAF7846F54B0E972F35F2FF03C6D029,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:32.992{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B75D3F182DEFD70C2506C03F0602EEE,SHA256=795C971134353D7EECF79D52B120230386321799DD1401A4A4FF381777965382,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:32.987{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D0FE04462FBC90ED5AAC9C11C3C15C,SHA256=F23CF3183FA323B8CA5B1C57B95BB4833200E4826D77072B8A27B64C2EC792AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:32.362{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:32.362{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:32.362{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:32.362{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:32.362{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:32.362{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.455{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000107401698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.424{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94C,IMPHASH=98E0DBCEA076EF80E7DE241072E34656trueMicrosoft WindowsValid 734700x8000000000000000107401697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.455{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37C,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x8000000000000000107401696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.455{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.455{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94,IMPHASH=A243271C363636A670D5D150D4D338C9trueMicrosoft WindowsValid 734700x8000000000000000107401694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.424{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871,IMPHASH=0B7F4620EB804B43452C1AFA5341A2C2trueMicrosoft WindowsValid 10341000x8000000000000000107401693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.440{3BF36828-9797-6185-0B00-00000000CC01}6361884C:\Windows\system32\lsass.exe{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.440{3BF36828-9797-6185-0B00-00000000CC01}6361884C:\Windows\system32\lsass.exe{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.440{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107401690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.440{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 734700x8000000000000000107401689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.424{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3,IMPHASH=77C2BDF68EAD031D294626FB2F3033A1trueMicrosoft WindowsValid 734700x8000000000000000107401688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.440{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000107401687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.440{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.424{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBB,IMPHASH=8D3297F500E5144336C044019A1ACFD4trueMicrosoft WindowsValid 734700x8000000000000000107401685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.440{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.424{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107401683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.424{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107401682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.424{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107401681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.409{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000107401680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.409{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.409{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107401678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000107401671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-97ED-6185-9700-00000000CC01}60884192C:\Windows\system32\conhost.exe{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4FtrueMicrosoft WindowsValid 10341000x8000000000000000107401666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.393{3BF36828-97ED-6185-9600-00000000CC01}60806104C:\Windows\system32\cmd.exe{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.377{3BF36828-A172-618E-EA10-01000000CC01}2172C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeSchtasks /S 10.0.1.15 /create /tn evilTask /tr C:\metE.exe /ru system /sc once /st 00:00C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000107401659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:34.143{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318B16F985D23FB6E37E1463900CFF85,SHA256=C636D216FEDF7DA3B9EC39DF326804C2A84595B4C7E428481E41F8063FEB276A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000055902586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.localT10532021-11-12 17:16:34.461{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\evilTask2021-11-12 17:16:34.461 23542300x800000000000000055902585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:34.008{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8F96840F5559640E0460FB2E609C4A,SHA256=84960B30CA29CC87DE5E0403E2716C1F3026D2586DBFCAE32D6904A32B822884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.535{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED279C4A9075F0AC0C159DB79CE25303,SHA256=0EB086222BD1B9E7A1D821C44A8BCDF6AB7723A42F78BEB9B0DB728BB184B633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.535{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59E1FE063748EFA0AC1161AAF8EA370,SHA256=6D6732F007A64AFC3B620124F23302A828F90052D455068C97DFA187432B4CD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.535{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D2FCEC3EA08CA9A086997B64CE9CC27,SHA256=1EBE6B25B815EE142F427E9D9873F187D2333FFAC7DCB409821DCAD79D4F3B03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.598{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61423-false10.0.1.12-8000- 10341000x8000000000000000107401707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.394{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.394{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.379{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.379{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.379{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055902592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:14.998{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62793-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49672- 354300x800000000000000055902591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:14.993{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61425-false10.0.1.15win-host-987.attackrange.local49680- 354300x800000000000000055902590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:14.990{B81B27B7-F665-6183-0D00-00000000CA01}792C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61424-false10.0.1.15win-host-987.attackrange.local135epmap 23542300x800000000000000055902589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:35.461{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=343860B4F0F2CACDB9FC339A1ACDE1D6,SHA256=4B3F28FD3106C408AC4BF7A93CC90CC032D94F2BA9636D06A3A1A8091B91C9D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:35.461{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB59747C9DE7E764371B218C7571D589,SHA256=0C613496E12ECB3F6D79B505FF816280242030AFE1C238629AFE466902BA6C03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:35.039{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650627855903F1D73AFFD677CC75DF88,SHA256=217C1677414BC8D39ED3E9474B7E58C712D1FD18D457262F6F9B64C5BEB19841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.050{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.050{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:35.050{3BF36828-9799-6185-0C00-00000000CC01}8443584C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000107401715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.872{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62793-false10.0.1.14win-dc-128.attackrange.local49672- 354300x8000000000000000107401714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.838{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local51043- 354300x8000000000000000107401713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.838{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local51043-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 23542300x8000000000000000107401712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:36.439{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29B0BC363CD8FD2FDE217A1249BA658,SHA256=815D9C4B27D90D32B6E56A1AD919FA0B059520CA9BE1BE3A52BB37F5A507FB5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:15.724{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62794-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:36.070{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90342EF92F4F0A2E888B304BFE452F15,SHA256=F879F985E404A5F91919823E7B71A8DB49A86D9BEC330886B009C747BDA6DE71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:37.442{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5208D0E0EF3B3F645C5E9F62685D6E,SHA256=FA90F1A4FCE8F656D05F09B962CBBF81F56DEEA20852CD3F8F9206F30C9A4DF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:37.102{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC916DD762DD92DBA0BD719D77E2B77E,SHA256=B491FD8AEC7FB08E97E2B7C397989BAB6C5FC869190AC7C99C27D689C8043AAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.866{00000000-0000-0000-0000-000000000000}2172<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61425-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49680- 354300x8000000000000000107401716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.864{00000000-0000-0000-0000-000000000000}2172<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61424-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 10341000x8000000000000000107401725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:38.755{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:38.755{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:38.739{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:38.739{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:38.739{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:38.739{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:38.583{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D611DEF2B4357E13A70BA234CC436E,SHA256=63F0A43F4153D34227CD7242DBC580B5AFFF767C5CFB03D469414384B8C28DB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:38.133{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6722148664CAA793F0E2EBCE52019288,SHA256=A9BDA3D4C23224FAD5753DE877CE464AFA1D237DC4BC8CA7221C4510723CACBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.646{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.646{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37C,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x8000000000000000107401756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.646{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94,IMPHASH=A243271C363636A670D5D150D4D338C9trueMicrosoft WindowsValid 734700x8000000000000000107401755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000107401754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107401753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-9797-6185-0B00-00000000CC01}6364356C:\Windows\system32\lsass.exe{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-9797-6185-0B00-00000000CC01}6364356C:\Windows\system32\lsass.exe{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107401750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 734700x8000000000000000107401749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 23542300x8000000000000000107401748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61ED84707DB792AC9FFFF4ACB9E72128,SHA256=9E44AA9DCB4AED9651C40DE11324F39F6B2A9048D5589584E6A06CA004DF8712,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000107401746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.630{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x800000000000000055902612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0B00-00000000CA01}6324500C:\Windows\system32\lsass.exe{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0B00-00000000CA01}6324500C:\Windows\system32\lsass.exe{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.664{B81B27B7-F666-6183-1600-00000000CA01}11761544C:\Windows\system32\svchost.exe{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+e7dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000055902599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.648{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.648{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:39.164{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7A31A714A0AB5791DC995533952402,SHA256=FB5D09418B3A0AA19C729BA87807F03AAA4AA7684F0C8D19DC2B27E3D68B0280,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000107401737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-97ED-6185-9700-00000000CC01}60884192C:\Windows\system32\conhost.exe{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4FtrueMicrosoft WindowsValid 10341000x8000000000000000107401732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.614{3BF36828-97ED-6185-9600-00000000CC01}60806104C:\Windows\system32\cmd.exe{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:39.597{3BF36828-A177-618E-EB10-01000000CC01}3576C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeSchtasks /S 10.0.1.15 /run /tn evilTaskC:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000107401765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:40.645{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7162DBE1ADFE91EA767D416A2AC560BB,SHA256=C446115FFA3FD8BD06D6000515FD0C11C484B92D1173C5A1C41F5843C4F6AE7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:40.648{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50DEA27DC7310DB717857B3F860CD9FD,SHA256=40641FD0D7EB1448BD74AA3A678BBE0AC4CF136E39FCDABE45DEE19F72E93838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:40.648{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=343860B4F0F2CACDB9FC339A1ACDE1D6,SHA256=4B3F28FD3106C408AC4BF7A93CC90CC032D94F2BA9636D06A3A1A8091B91C9D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:40.180{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC95A72E5C1D582A9584415219C1EDD1,SHA256=4F5E910818C3B37D801DAE18E5960D9D00E490FC106092DEDA3D68A14779BE4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:40.552{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:40.552{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:40.536{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:40.536{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:40.536{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:40.192{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED279C4A9075F0AC0C159DB79CE25303,SHA256=0EB086222BD1B9E7A1D821C44A8BCDF6AB7723A42F78BEB9B0DB728BB184B633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:41.864{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9B3AEA5A39417C83EC63B70682F63C,SHA256=324C90CE05903AC03B75FF0A41FB3F938FA52495E624722FE70A627A2C2B644E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:41.195{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89B4D35148D1B51EF0A57FD6A2A7130,SHA256=FF5FDE82D32AC3F635CE67863EE7071E35820AD0A1B6AA7F8A68EB23FBC38226,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.601{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61426-false10.0.1.12-8000- 354300x800000000000000055902617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:20.182{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61428-false10.0.1.15win-host-987.attackrange.local49680- 354300x800000000000000055902616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:20.180{B81B27B7-F665-6183-0D00-00000000CA01}792C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61427-false10.0.1.15win-host-987.attackrange.local135epmap 23542300x8000000000000000107401771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:42.895{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58CD465555320FB5E285C332402E1F0,SHA256=5ECEE62CA1132BCAD6B5591FB7C43EB0B6FEAD09776E8B164935F6CDAAA5E7E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:42.226{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27CF73F1BD08802DE0163B60E91566E,SHA256=C4487660323A8CCFAD1AC5F51067E7AA4E27643B00FE2E4D7C60E889E4E82CFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107401770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.056{00000000-0000-0000-0000-000000000000}3576<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61428-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49680- 354300x8000000000000000107401769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.054{00000000-0000-0000-0000-000000000000}3576<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61427-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 23542300x8000000000000000107401768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:42.395{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEECC37A6FC679F18862D473CB4AD5CD,SHA256=2C4EA63D182AF4949A83D46BAFD6D37AA006A7C2601876F772CC8415913BA73C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:20.247{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62795-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal8000- 10341000x800000000000000055902620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:42.164{B81B27B7-F667-6183-2400-00000000CA01}16922236C:\Windows\sysmon64.exe{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:42.164{B81B27B7-F667-6183-2400-00000000CA01}16922236C:\Windows\sysmon64.exe{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:43.242{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E0BA99D945BFFA8D8237979CC885A2,SHA256=7E299CE5A95512127C8F7C1596C6BE34A24AA11B21DBADED7155B247BC95CA7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.552{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.552{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.552{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.552{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.552{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:43.552{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055902626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:21.631{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62797-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000055902625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:20.665{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62796-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal8000- 10341000x800000000000000055902624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:43.211{B81B27B7-F667-6183-2400-00000000CA01}16922236C:\Windows\sysmon64.exe{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:43.211{B81B27B7-F667-6183-2400-00000000CA01}16922236C:\Windows\sysmon64.exe{B81B27B7-A177-618E-4E42-01000000CA01}4148C:\metE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:44.883{B81B27B7-F666-6183-1600-00000000CA01}1176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\evilTaskMD5=EBAC38974D64E8D9D64B9E37B651ED5B,SHA256=E0B0FE92136BDC55C0329F8CA7580D090BE887E97F742AE05637405CEF47AF20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:44.273{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F193569218559BBD56CE00EF331D15,SHA256=CF40A51F647EE4F3CE464B0DEF599BE099C86B4B69616C9C63843369470286D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.895{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37C,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x8000000000000000107401816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.895{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.895{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94,IMPHASH=A243271C363636A670D5D150D4D338C9trueMicrosoft WindowsValid 10341000x8000000000000000107401814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-9797-6185-0B00-00000000CC01}6361884C:\Windows\system32\lsass.exe{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-9797-6185-0B00-00000000CC01}6361884C:\Windows\system32\lsass.exe{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107401811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 734700x8000000000000000107401810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000107401809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94C,IMPHASH=98E0DBCEA076EF80E7DE241072E34656trueMicrosoft WindowsValid 734700x8000000000000000107401806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871,IMPHASH=0B7F4620EB804B43452C1AFA5341A2C2trueMicrosoft WindowsValid 734700x8000000000000000107401805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3,IMPHASH=77C2BDF68EAD031D294626FB2F3033A1trueMicrosoft WindowsValid 734700x8000000000000000107401804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBB,IMPHASH=8D3297F500E5144336C044019A1ACFD4trueMicrosoft WindowsValid 734700x8000000000000000107401803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107401802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107401801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107401800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000107401799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.880{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107401797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000107401790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-97ED-6185-9700-00000000CC01}60884192C:\Windows\system32\conhost.exe{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4FtrueMicrosoft WindowsValid 10341000x8000000000000000107401785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.864{3BF36828-97ED-6185-9600-00000000CC01}60806104C:\Windows\system32\cmd.exe{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.849{3BF36828-A17C-618E-EC10-01000000CC01}5260C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeSchtasks /S 10.0.1.15 /delete /tn evilTask /FC:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000107401778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:44.114{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAE979227D25D0D2647D969CB0F56D6,SHA256=7955B2BCC0913701A8FE99DB3680C2F6E58B3238B7DB4608BFE25F9F68B89531,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:45.489{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D89320C084BCEC2A45D764EA5D3DEC,SHA256=6AE6ED532376AFC4713290B002BEBB8710472650927107855F3DD2EACDF28FCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:45.255{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4C6A5FE270569724D7989C9CA66493,SHA256=968CE19DD0E1B5F1878DB37636AC7E603DC2C321DA991A44755AB0B14465D195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:45.305{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283C0E83AD77CCBA02F14A72604DBEA8,SHA256=B1CD006C173BE277208D7F73D83BA408B222E55947D9588C50EFD5DF6E102D76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A17E-618E-5042-01000000CA01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A17E-618E-5042-01000000CA01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.835{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A17E-618E-5042-01000000CA01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.820{B81B27B7-A17E-618E-5042-01000000CA01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.351{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC3C1E9C5433B13A6315845153C06CD,SHA256=F733F17174040211CA1429EB5A0DE21DE7CEB76AB1E5957FE55E289DA4904E19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107401872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.985{3BF36828-A17E-618E-ED10-01000000CC01}45844952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.985{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107401870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.985{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107401869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.798{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107401868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.798{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107401867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.798{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107401866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.798{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107401865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.783{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.783{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107401863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.783{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107401862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.783{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107401861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.783{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.783{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 354300x8000000000000000107401859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:53.648{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61429-false10.0.1.12-8000- 734700x8000000000000000107401858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.766{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107401857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.766{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107401856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.766{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107401855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.766{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107401854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.766{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107401853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107401852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107401851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107401850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107401849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107401848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107401847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107401846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107401844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.753{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107401836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107401832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107401827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.735{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.533{3BF36828-A17E-618E-ED10-01000000CC01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107401820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:46.270{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D33DE454C3D72367CE1DEEC1255C36,SHA256=69E503A5834B84C8534C8C87A637A668E0B66AE05D38AD69200B1A464FF58F8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A17E-618E-4F42-01000000CA01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A17E-618E-4F42-01000000CA01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.148{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A17E-618E-4F42-01000000CA01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.134{B81B27B7-A17E-618E-4F42-01000000CA01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055902634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:25.432{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61431-false10.0.1.15win-host-987.attackrange.local49680- 354300x800000000000000055902633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:25.430{B81B27B7-F665-6183-0D00-00000000CA01}792C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61430-false10.0.1.15win-host-987.attackrange.local135epmap 23542300x800000000000000055902632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.008{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80745CDD564698CA4A9D034B774D4A53,SHA256=1B003FB14DBF5D8D6537B2F324C92BC2CABFFA2FA9517F3254AF337866E4952C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:46.008{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50DEA27DC7310DB717857B3F860CD9FD,SHA256=40641FD0D7EB1448BD74AA3A678BBE0AC4CF136E39FCDABE45DEE19F72E93838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.798{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107401926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.782{3BF36828-A17F-618E-EE10-01000000CC01}5808860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.782{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107401924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.782{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107401923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.595{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107401922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.595{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107401921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.595{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107401920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.595{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107401919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.595{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.595{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107401917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.595{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107401916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.595{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107401915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107401914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107401909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107401908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107401906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107401903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107401902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107401901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107401899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107401898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107401896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107401895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107401894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107401891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107401890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107401889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107401888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88063DAF4A2D8E9B0B30415E77E9138,SHA256=01D397EFB58119DB2518EA15D16913E5D62C3467935772B9F1D29A57AB91632B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 23542300x8000000000000000107401885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B1304E7673810A8FF6F31E5AD49041E,SHA256=2F276035D8311A3894A893BC1AAC49E37CCD7F2B49FF45ADC01892BE26019CE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107401881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.579{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:47.424{3BF36828-A17F-618E-EE10-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107401874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:54.306{00000000-0000-0000-0000-000000000000}5260<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61431-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49680- 354300x8000000000000000107401873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:54.304{00000000-0000-0000-0000-000000000000}5260<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61430-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 10341000x800000000000000055902667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:47.725{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1500-00000000CA01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:47.725{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1500-00000000CA01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:47.725{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1500-00000000CA01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:47.381{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142BF70825AB1DD77116F12BC8575C73,SHA256=F0C77CFF0F0BF96424C5A3495843F9FF381F19355FC45D0751DC094343B88251,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:47.147{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80745CDD564698CA4A9D034B774D4A53,SHA256=1B003FB14DBF5D8D6537B2F324C92BC2CABFFA2FA9517F3254AF337866E4952C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:47.007{B81B27B7-A17E-618E-5042-01000000CA01}3180340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107401985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.845{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A14ABFD5BB577284D6D0017B5F032A2,SHA256=39103CE44D7F7DC108CFB4605943DF29A5B0D8398311C10241925AADDF6A6EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107401984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.813{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC767D0A18242E31AB3154033439DB29,SHA256=6B30DC2A64864EF25974B924B2B0439D097FA4EC494AF92A8B9793544AD1BE00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.641{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107401982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.641{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107401981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.641{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000055902668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:48.397{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03ECD5F584E30BDE9B4C401673B4E43,SHA256=31FC7E0C8337B461DA35E97A7D8AD07C1701F11D51926DA83A92246232FAB02E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107401980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.516{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107401979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.516{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107401978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.516{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107401977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.516{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107401976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107401975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107401974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107401973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107401972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107401971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107401970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107401969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107401968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107401967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107401966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107401965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107401964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107401963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107401962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107401961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107401960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107401959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107401958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107401957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107401956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107401955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107401954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107401953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107401951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107401950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107401949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107401948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.501{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107401947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107401946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107401945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107401944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107401943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107401942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107401941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107401940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107401939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107401938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107401935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.485{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.314{3BF36828-A180-618E-EF10-01000000CC01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107401928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:48.423{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD57EE8C139B0C619E3757B03460F4F,SHA256=9909E51BBC6B52D61BF2B3D1812A4181B14AB338482E457BE562E01577692320,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:49.444{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8651410056FBA50689D0C88DC056B77C,SHA256=8B768680D71A6AFF5A86B6C5F9022FF26DD05F3555AD1177291F7DFE5A0A683E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107402041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.516{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107402040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.516{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107402039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.516{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107402038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.376{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107402037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.376{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107402036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.376{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107402035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.376{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107402034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.376{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107402033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.376{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107402032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.376{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107402031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.376{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107402030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107402029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107402028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107402027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107402026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107402025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107402024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107402023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107402022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107402021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107402020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107402019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107402018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.360{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107402017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107402016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107402015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107402014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107402013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107402012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107402011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107402010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107402009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107402008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107402007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107402006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107402005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107402004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107402003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107402002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107402001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.345{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107402000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.329{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107401999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.329{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107401998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.313{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107401997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.313{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.313{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.313{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.313{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.313{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107401992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.313{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107401991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.158{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107401990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.251{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.251{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.251{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.251{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107401986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:49.251{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A181-618E-F010-01000000CC01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055902669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:27.598{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62798-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000107402149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.985{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107402148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.985{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107402147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.985{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107402146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.985{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107402145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107402144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107402143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107402142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107402141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107402140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107402139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107402138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107402137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107402136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107402135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107402134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107402133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107402132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107402131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107402130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.970{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107402129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107402128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107402127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107402126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107402125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107402124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107402123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107402122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107402121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107402120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107402119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107402118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107402117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107402116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107402115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107402114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107402113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107402112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107402111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107402110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107402109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107402104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.954{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107402103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.939{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:50.506{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC24C0402E8C79804CE97D9F56B03CA,SHA256=2E08DF8993A029B48513D9576C4AE52A0C354E4092C5D881E79BD89C3B1AC08B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107402102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:58.660{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61432-false10.0.1.12-8000- 734700x8000000000000000107402101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.532{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107402100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.532{3BF36828-A182-618E-F110-01000000CC01}34805492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107402099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.516{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107402098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.516{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107402097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.345{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107402096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.345{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107402095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.345{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107402094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.329{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107402093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.329{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107402092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.329{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107402091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.329{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107402090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.329{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x8000000000000000107402089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.329{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6405ACCCBCE2C7EC1325B886A16A3C84,SHA256=F7B878B526C34F34C292611C39B919156709DA551FDBCFA0832AE4CD5CF98253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107402088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107402087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107402086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107402085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107402084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107402083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107402082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107402081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107402080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107402079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107402078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107402077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107402076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107402075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107402074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107402073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107402072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107402071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107402070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107402069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107402068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107402067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107402066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107402065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107402064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107402063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107402062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 23542300x8000000000000000107402061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5776EBF2F794CF39966C274729AF6F25,SHA256=9429D2275A380CC7524EAB9EA07A6B2FED7E36FA422FF5B8167967636A8629DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107402060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107402059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.313{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107402058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107402057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107402056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x8000000000000000107402055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA080BDF483B38DF638A1001E88F99FF,SHA256=D5CB75AE02809C0835889214A4129E9DC9EF997C5A03FDBE0B8B8415CADF5F4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107402054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107402053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107402048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.298{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107402047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.049{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107402046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.266{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.266{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.266{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.266{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:50.266{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A182-618E-F110-01000000CC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055902672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:51.522{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFB97C49C01C6946E7789BC58E31E35,SHA256=EB1C66F298C8C195EE96D562184EF01A14FE737BBCEDAA8C143742AB678CEF4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107402207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.970{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107402206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.970{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107402205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.970{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107402204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.798{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107402203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.798{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107402202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.798{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107402201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.782{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107402200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.782{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107402199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.782{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107402198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.782{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107402197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107402196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107402195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107402194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107402193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107402192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107402191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107402190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107402189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107402188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107402187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.767{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107402186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107402185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107402184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107402183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107402182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107402181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107402180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107402179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107402178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107402177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107402176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107402175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107402174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107402173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107402172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107402171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107402170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107402169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107402168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107402167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C41715815DDEE9A28C963B5D78260F,SHA256=BA4C9D56A9BB7FB89168E8E4A8AFDCDE27E4BBFF42A5D9E79BBA27C4C483F72F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107402166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107402165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.751{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107402164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.735{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107402163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.735{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107402162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.735{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107402161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.735{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.735{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.735{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.735{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107402157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.735{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107402156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.491{3BF36828-A183-618E-F310-01000000CC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107402155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.485{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B0AC3440DADB4521617C19F755ECBB,SHA256=FA92978B69674365E41BE7039A608793639B6DDAD3790606D4F5797AB3B9578C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.485{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2BFA9A4CED07E08FC5D2B979B732CE6,SHA256=889D23A3696F826C880CABAA06FC7D7480B1B6E81D92954DA8B85E1C7F96E2D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107402153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.188{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107402152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.188{3BF36828-A182-618E-F210-01000000CC01}19164188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107402151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.188{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107402150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:51.188{3BF36828-A182-618E-F210-01000000CC01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000055902673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:52.538{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3598951DA499ED2503EFAAD8F654217,SHA256=7B99921DA855C974FAC95C700C8C2C5B5E8DF7E7BB088F3A2BD4E5FA9AA0A92A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:52.595{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D63567FC39744CA1FA5B7F7C0C5B1D,SHA256=04F08C81BACA1F474351D453C7C5299011553FDF04EF7D6F75F1C775C6836F63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:52.188{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68B493ADAAA2DB5EA88C046E6BDF780F,SHA256=ADE9464AFB604F4417C683937FFE681620DC04C2E42BB8403807A63A23CFCAB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:53.641{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05CD9D034E9DBFD3119E39F79E2752D,SHA256=89D612C448F651DC989186175E495028A95C0B100FED3107E4FD5AF1D049A697,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:53.553{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346CCDB10A80C825479CDF2C176612F7,SHA256=8F836D7984C65BBE5032F22502AF260560E1D981945C2096D8BC6A75732F15FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:32.754{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62799-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107402211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:54.860{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E440F2A6E5366A680DB5C477650282,SHA256=F9534C0F47F5F71A12E3A76E76EB039912CE777122D82C34E19F7C162DA15277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:54.569{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA6DA251A8B6E03616A4CA215E1BB53,SHA256=DF68AFC2E08B358F91F7AE7CEB8D489F6421D3F78F2980B5C231D253A444B73B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:55.860{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DB9FB0CDB85D695ECE6BFE0773BDB1,SHA256=A38D8F1A4671E4D4A0F0D0639E67CAFEC2DEBA70B57DA8849D2BAF6D9A09B117,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:55.616{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF21FFDF3E5FD8C1DC16D8895F9CC717,SHA256=4F5EB9AB37750204E9FA6BCD2F40E880469BDD5C2ACB04D5B43D346ACF95F28A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.647{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985A668BF2967F7113BC3A07A0AE1786,SHA256=E834E545A95B47C314F511D715E5F81B1764F68A1DED4F05F3F9A694CBA11D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107402214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:04.535{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61433-false10.0.1.12-8000- 23542300x8000000000000000107402213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:56.126{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ECAEE3D7CBAC298C8BB6154902DDE2E,SHA256=6BDB6A5D79E9FCBA5CDB581B5581AA85E437771656497D935AD1095EE10980FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.631{B81B27B7-A188-618E-5142-01000000CA01}28245560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000055902691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:16:56.585{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7e9-0x184e4fc0) 10341000x800000000000000055902690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A188-618E-5142-01000000CA01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A188-618E-5142-01000000CA01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.428{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A188-618E-5142-01000000CA01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:56.413{B81B27B7-A188-618E-5142-01000000CA01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.663{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D954E4DA4454BB7F5E4C105311111D,SHA256=A937BE555E2E008A6E793A330D6EE780A14E4C205B09F4668C3CEBF1041A324E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:57.595{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8858341A124A01BD121C770058935E3B,SHA256=3C9D47625FF13A13D13F9782578E36C3EE7E0C2273779D980953147BA5CACF3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:57.048{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CB01FFB8603C6AB1E83186CB214D36,SHA256=5799B7796E9BF9F82A9577BE4DB417B24D32B38C1AE9123305557F7C6B85D60D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.460{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BBF6AF0A743436495BE8795F6B988B0,SHA256=0BD5ED914B8D518E3083841D70512790C3C06EC6910824DCD58964C973E79F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.460{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A001D19F153002EFC996834C77F4AA05,SHA256=DEBB28AFB19E6FEAB1870977A227868ED0074FD018E8B95D14CD13BF645F2690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A189-618E-5242-01000000CA01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A189-618E-5242-01000000CA01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.116{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A189-618E-5242-01000000CA01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:57.101{B81B27B7-A189-618E-5242-01000000CA01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:58.678{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1DD44E3612199DEE0BD072FD4F621C,SHA256=283F5EB76F8C1A1BCB1B8F20BCE181F32E35F96134C095D741B3410549716F0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107402218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:05.988{3BF36828-9799-6185-1000-00000000CC01}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 23542300x8000000000000000107402217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:58.095{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B03C10351FA95D7FF851A137750FEE,SHA256=9F48C5FD7618CF79C548ED1F1A5659F005976201395719316E5E6BCC115FAB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:37.113{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x800000000000000055902710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:37.113{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x800000000000000055902714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:59.725{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6836D4A54067E1F8BDC22155A47F1179,SHA256=32AB4263DFB19B1CFC6D91C20E1D885AC11DF79E979986888388EC6EC417FFCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:16:59.204{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E1F4811C2C26DACC43CAE6DA12C731,SHA256=EE8420621D1688926E52B4D92B29A3958EF88D543A35D61311AE31710861348D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:37.754{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62800-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000055902743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A18C-618E-5442-01000000CA01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A18C-618E-5442-01000000CA01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.928{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A18C-618E-5442-01000000CA01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.914{B81B27B7-A18C-618E-5442-01000000CA01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.772{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD90661916C13EB00C73089FF9ECB47,SHA256=1038D38A64092FCBB0EFFF14387381D1047A803659E9591E968A984A2E5E8CC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:00.204{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21631CBD207F76A8EB19045D53E96C5A,SHA256=5ABB98B35D038E95ADD4510998E58B92FA172AAC936D046741EF4597285A0AE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.522{B81B27B7-A18C-618E-5342-01000000CA01}32403468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A18C-618E-5342-01000000CA01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A18C-618E-5342-01000000CA01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.241{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A18C-618E-5342-01000000CA01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.226{B81B27B7-A18C-618E-5342-01000000CA01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:00.069{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A35CD7A2798AA9BB5CFF38EDB7FABA44,SHA256=04E94A6B718708CEB34605B62553BD91D59D271B148BC752C97AC182303A2122,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.944{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B066B1AF972FCB6C945BF5D7B0A343,SHA256=660BD5263743445C3C3CFE38EB66F40F79C31D85C6ABE539987A76B29C619AA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:01.204{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2879BBE8FEC4E39CA6E5E1CB30FF9614,SHA256=A416B65CA59B93865EAE4855CF451E1AEEF9D4CB3A287F43D60826214DC73194,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.632{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A18D-618E-5542-01000000CA01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A18D-618E-5542-01000000CA01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055902756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055902747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.616{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A18D-618E-5542-01000000CA01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055902746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.601{B81B27B7-A18D-618E-5542-01000000CA01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055902745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.241{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BBF6AF0A743436495BE8795F6B988B0,SHA256=0BD5ED914B8D518E3083841D70512790C3C06EC6910824DCD58964C973E79F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055902744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:01.116{B81B27B7-A18C-618E-5442-01000000CA01}43444704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000107402224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:10.488{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61434-false10.0.1.12-8000- 23542300x8000000000000000107402223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:02.204{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E8AA4F553AC6EDAA985952E3ED8036,SHA256=79E537D073A9EBB205F50D3F6F6D960D779F79A0F3147F067D6A6A9AACCB6B40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:02.601{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBCB3ACF659D08B37D5C3B8C5B808E6F,SHA256=5742B8B12E3BED8ED3222FA563DAFD99A392A1A18B4840F0691475EB47CFAB53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:02.095{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA0E82AC70C29D448B3827A7BA2DA892,SHA256=ABAC6A5224F1B0BF25A7ED34F3A4EB3DD9DFFCA3BBB778995428270419945639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:03.117{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF0E5997269EB8E229AA0BB0C65EDA1,SHA256=0C05D312618B66CF4A2B744F2EF55C952410401EC85B4D60115876FA4AB167D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:03.204{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DFDDBB9E89BA1668711D925495C894,SHA256=8963CE3665E2321A920E6031C6E2630D8AE3A3841CDD0E5AEE545074A4BC3DDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:04.407{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F719183894A9611C1DCF62B1A875EB01,SHA256=593F6D9F2F6D8BAB19F03283E35401D7230B1E281D23251C7FD8D532E17EF9D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055902763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:16:43.772{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62801-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055902762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:04.279{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A2BD105A88BA0762A4646AF19AF5FF,SHA256=43438A374E57BBBA0DF2EC5FEFEE130CE6AD746F5BBC6A5AD6B3CA4433B9061B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:05.954{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107402227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:17:05.438{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B1B245A394CE20A70BA396222B0BB4,SHA256=FE339AE167A42EA87AD546056A21EF32EB19F3ED5A647962810A9B098FB7C600,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055902764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:17:05.294{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4183FFE7D334D105C51653C889100A31,SHA256=7A3C1178BAAD141BC1B50E1F1C3A058B507278428BB6057251DB4EA8A7D01231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space