23542300x800000000000000030724922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=536D3C666578588B834D93C6490CFDAC,SHA256=B389214A2642DF186648365FEF30A21233F71548EA09DB6F498F2770D9E93AC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64702D3A31F5EDF6CBDDA2103D97C463,SHA256=1045B696F122A5698F835D0B8C993E376B84836831830ED45F5B879C1970BFF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.875{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AA752E1B41533A90B11A6AB91CCEEF,SHA256=4F039A4B5C4200E247FC120475FB2CB1B0E49138C05E5D44C912319EBFB4CC85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047953931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:16.260{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53739-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047953930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:16.260{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53739-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047953929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:16.251{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53738-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047953928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:16.251{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53738-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000047953927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:20.398{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EDC60814ECEF6FD17EE8FC318B9613A6,SHA256=9B0EE3C88056ECE298A0017CE7A57A4DB7F80165EB5850FF347AB0F8B4C31296,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:20.023{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33101D405248A55BB99247E9D9BA0463,SHA256=BFC386539045B15664F2122AF7385BA4CC7209E973ACB7AEF58F8C6FB1DA491D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030724919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.790{B81B27B7-6348-6125-5600-01000000C801}3565032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.653{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6348-6125-5600-01000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.653{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.653{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.653{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.653{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.638{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6348-6125-5600-01000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030724912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.638{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6348-6125-5600-01000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030724911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.638{B81B27B7-6348-6125-5600-01000000C801}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030724910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:20.154{B81B27B7-6347-6125-5500-01000000C801}55046740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030724924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:21.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491C15833D453E1D231D0E4622C9003E,SHA256=21A6184CDF0C4A426EE6A603BDD23D6EFCEEAA27D4A1812F6886F5F0768F2989,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:21.258{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8DBE7500D12A6EC81697CB898C6D844,SHA256=4A89D879D4DDB9CDEAEE96C235FE9B408F904946E50B6399C4498C5115AA0C44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:21.258{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33985C25F8BAD141BB46D638DF693E4,SHA256=2958433E29A8D73207D0987EFB58C1FCE40722895C1847F4A74545E8C29C3B16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030724923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:26.065{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58825-false10.0.1.12-8089- 23542300x800000000000000030724926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:22.920{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682F3B241AB843E4128534A955C4C434,SHA256=1224D4813DBD35AB422855B244A439A1F61E76093D5D3652056D372EA6707F6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047953936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:18.935{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53740-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047953935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:22.398{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D58275601F9038502830E5472755DE44,SHA256=E204EA58A83E1DD5DB66ABB01FD644BAD8EE64A3104881763863144D8C42FCA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:22.398{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23735FBF0D875D56C56657C755AFF9FE,SHA256=9B0703863AB971E4377A8AC1B5E4CADFB64C513B4B6B0F4B804C43B3017A1581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030724925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:27.063{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58826-false10.0.1.12-8000- 23542300x800000000000000030724935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.936{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECD699BEDB466FB26CA2E413496D268,SHA256=B65103D9264E31EDA678F444CB11005B48455ADAA0B54ABC8A6B07D00759DD2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:23.554{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B6DB4CC467AD615725F9333771C498,SHA256=5727B7C8899B86A486E0BD60806BCEE38E4CDCE5F2B8BB8E762C341326DA4026,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030724934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.105{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-634B-6125-5700-01000000C801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.105{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.105{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.105{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.105{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.105{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-634B-6125-5700-01000000C801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030724928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.105{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-634B-6125-5700-01000000C801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030724927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:23.089{B81B27B7-634B-6125-5700-01000000C801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047953937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:23.445{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F713A05F9E822F7B823B92881EA39B2A,SHA256=B61121795B5F3D62EC39A9442B120353658EE988800A1AA5FA37D0640927E57E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:24.969{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC9687A46AE41434D8F18EC26B89FAA,SHA256=CC4F82CAE57BB90D02F0E395F6065979B84E1B45DF94F3F97B661D2B01397E04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:24.554{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2241850F0FECB0BF13AB409F24434E57,SHA256=FFF236DF359C42B6CCE73BB6712DE76CF4DEB300621A4D20D8A1323A513583C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:24.554{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DB2B2D09F743E95646930BDFB9A9D5,SHA256=D84D11EB9AD0481A335E1DBE5557103AC8D442DF3E5F1EBEB47D94D736786F40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:24.089{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=536D3C666578588B834D93C6490CFDAC,SHA256=B389214A2642DF186648365FEF30A21233F71548EA09DB6F498F2770D9E93AC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:25.989{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8CA2F4C30F662DA86B93791F27BCD3,SHA256=16B6CC1CA60D3DA7A47953F497E580AF237ED5A54C03EFEED9307A27D94A2639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:25.742{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6832496F8502C22BD557A34289C9E39C,SHA256=D8A52E2747E23F790859E8FD3A601C68624CEC38B33AB986B6F69F12AC277F61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:25.570{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC93A4313FECA6C0E9ACF398DF7FBB9,SHA256=79A55BDED2E20F7B43FD6FD391F5510E409FB275BB756E4243031A6753592755,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:26.851{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F1FA30C1E80B1B9B606876E2D881975,SHA256=C89F267B7BED49A4F1FE0D6210C997B66A54BF223D4CC3EFE0577C12B5BC07D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:26.601{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F42D5EECF2352B9C6B30591AA299C8,SHA256=DB654B3DB62A7FBACF71D85C20AA678684946160059F85E25EB38E861722DE7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:27.601{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEEE4FC593BB9A6206981216CAFF6F9,SHA256=FC8C50D65B85979D247F39ECAF1208C19B5CC5975646A2B7E961116F790B9C16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:27.019{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEF32F328D22EB0C3F8D9BD181E007E,SHA256=AF24C89132104CB4A7599E965F87D24D8FB186870041CC0F6DA2C03BD5BC4F93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:28.617{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5069705F4A292182A47BEC30CC84AB,SHA256=BD00C41B328F5767C2C2EC5832A24D111E43FF4E55284D9C4829365DD7372140,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030724941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:32.946{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58827-false10.0.1.12-8000- 23542300x800000000000000030724940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:28.050{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2D0CAEC774F24A28C25AE8FCFD5137,SHA256=DDBCD9A06BDBB27646A25D9FC0DF141C98C2E97EBE0C7328642DB56351DFCAC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:28.195{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9477B6275EE15BCEB3613586C8D0BE07,SHA256=5698C5AA3A8F82E32F6E87E2F3E2535098E5B5660C103A38BB56A590EF0AEDE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047953946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:23.988{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047953950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:29.648{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDFD5A66CCD42EB2C511B64CCF9BE6B,SHA256=2B7EFA341D61932500226F386611B773DEB1D958608E37A405F0E2CA30BE4471,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:29.067{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931CA0FF79A922CC202E00CB426E109E,SHA256=A32D3835A66995DF67CF1778D220F00CD2DBB42ACD6B8F043C167736FDA8D860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:29.429{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B499A9E7B7BA6CCD37DB057839CD4D1,SHA256=E6DDAC82774E4F06CF410D3686B788A0A5FF02060E51DF50F005A707B1061947,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:30.664{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9835893D9047A89FFD4A9A86E740EA53,SHA256=5AB13FA322FB1DCFAB1CEAD5C0283ECA7FFE49B9532DFFCCAC5A3DC2F45AB7C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:30.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AC4702921C5C5136F2A1A7F9F9BE1A,SHA256=DACF9DE3906F53F3FE02CAF033F5574A878E93D7C51AC1F8FAFD79C32D457BB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:30.476{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=940C601D6FF79AF10EB4A6C970952A95,SHA256=797183E6794B417F26716CD087809833221F2AEC0433E869E0F422873178CAA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:31.820{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD5E07175A3237CD1CAF2D5045BECCD6,SHA256=EA5782A9F6310FD0BAC22E1129D4CF72BF8E044D505CA3EA61C0CFB2362B3461,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:31.711{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59F0A0D06EF8698F34885FD98C48805,SHA256=6150B6B206F2AA66FD98714BACCB0B475B2CA1D9779F7BEE64D5BD032347F31B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:31.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AE0182194055213164FFD3D43E1EE1,SHA256=F8254956DD1CFAAC457BA39D85D24ED89E50C00EA7D0187AC44C2CDD792C13E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:32.976{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D7828C8D5BAF3911483C902221D8A9,SHA256=C6DF2D906CDAB47EC97B012C594BC1BB23AF8728B3DDD4D590251FAAB234AD9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:32.726{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74247073459D0802FFB9403BEA450AA,SHA256=F8FB6740DB043409886CB78B802E1FD187F8A31E0792B4C750E332A5157BE22A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030724946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:38.010{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58828-false10.0.1.12-8000- 23542300x800000000000000030724945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:32.146{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D45459BFF9D62846C2F1614C2FA035,SHA256=B79D9CB156507F59B1833B8C4BAE89510CB6B98997DC7879D385823F561FB2A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:33.742{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8524E1154D9F9C5C082CFE735C81EBF9,SHA256=F2C1E77CEDBEA1F1124C277DF1824CB18F3E727A500C30E2C8CCEB5C72E94497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:33.163{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47913F12BD650627DA9F7964457CB61C,SHA256=1A57798D42F6C97E76C67C19190A6B430AF1CA869F1FDA10843F84274F1A48FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:34.789{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6323A3DFBAA7F258EADE74AF563D14B,SHA256=0C03B7FADE10001242B8DD5BC67924522826A7319F193D16787E9E4E6FC65F4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:34.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2341F21A9EA27A1B161F17C737B3E6A5,SHA256=317875E9863621408CE22F3B8614CF388EAEC879EDC9C62253BBFEE758D5A3A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047953959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:29.982{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047953958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:34.148{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE23204BDA5A3BD244823673C231327,SHA256=CADB26CBE5970478D81F41DC4003C0563BB95A6E2B7E7E3F787EA13F5BB15CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:35.792{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FA928AC330298C4D87993C9E53B705,SHA256=0FFFC7F5E71C13658C96EE0A3340751CDDF0A01AE737965E57431C3C0A7DA130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:35.211{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FD547A4D0418C5E7F48A5AB2E2C7D4,SHA256=D7DEE1D8E254B60DD33FD1117F19135D2E46C16A7BBA4CF2CB6C8D025EBC1435,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:35.258{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=201F72F28C470BB8615B81BD1C9F5BEF,SHA256=96A74DF89712397BAAF56FAD759172A5C3F9A5A8FA41C9F3C097FBF074E0C8A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:36.824{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9175C337773B1BC6A582764B237AF60B,SHA256=5050DD630B1F224E9F8584911CCC95C1D2357C27A8A877E0FCECDCAE3AC5A063,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:36.227{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C943640314B7A75FD7EB5832D1CD2FE8,SHA256=03DB5143D05BAC3DFD7F752E4046009D91BC926AE0327A547AC4612F3E9BDBE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:36.417{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE6145742B996A7078A7278CFED2EBF9,SHA256=E20648730B0D2DC6AF706B1F12D42E2512DAD2E6023308B52237024BCA7315A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:37.839{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C229CD851CD72461F9A619A5A9D515C6,SHA256=7C5FA839DF7B8695DC45030CB0221B8184504D7E28AAEC5084C31F06C32A55F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030724952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:43.068{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58829-false10.0.1.12-8000- 23542300x800000000000000030724951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:37.227{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972DAC5CEAE8BA577FE9FD588B5C048D,SHA256=25E22642964168D3F5FFEBAC6050A53E9D9A86BA2FDDBAF675641CE43AA0D35D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:37.496{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2BA75788554465AF2A57E6882070499,SHA256=45B435190874CA0809BDB46F6A2D79536C0AE76642F7C455305525F882740936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:38.949{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF6A9862EC3BB99CE4B1DE31F6C1C6B2,SHA256=1BE5EE8E0BD55C3C5591AE19B74A386338A79BFEAA68D8D7B76C601D4920DAEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:38.855{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EF5FCBC1F6BAA9A6A50DDCB62CF303,SHA256=FBEA40EEA5B9CE854F6C9A1E01A8EDE14BAB6F192EB5A9D435417B684F484E27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:38.227{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB762784C7764F198A34F5D2B9FD3DB1,SHA256=CA625DE525657BBBC419FAC471C68731B36E30087A0D35BEB43D3319AB77B525,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:39.886{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA420FEBF280AABF1552E460CB708A2,SHA256=B00AC2F5A3E03A334ED5D3DA5DD51EF7863D63E7A870BFD786B599F560B94253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:39.228{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294E6C451331B1E5F206AA56E83EE397,SHA256=E7C76FC3D7127D5632FC586E502E04EF3FB412809CDF596C68943D5D043E7589,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:40.903{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5557736F40BC67C57871BE83B6EB6450,SHA256=055B12FCB8329305E48682B614EB16461E7172022383E79C7886C01CA65F0C1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047953971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:35.907{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047953970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:40.246{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=025AC0E545A84A726371F240F6F70ABC,SHA256=304708BF5F1F61C569AB163A4FAF5CD153A68B15FE0581F80455D0E6E4487A64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:40.228{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AA3A089A1E1C43A31BD0806C4C8405,SHA256=FBFFFA4AC25034E37A4F19B54F29A31DEF43FE768D09C5EB4121CDCC16A740DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:41.933{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183157ED102B692718A8241D03C2F80F,SHA256=5419C18D5868ECC163B70431D0E977D07EC8D6D52ABAFC322D6FE297F39E63D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:41.263{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC678165727EE3123316DF8AEB954CB,SHA256=A2CDF09E85B8E567539D1BF2BF3A7761393921E8BFA5A3A81EC4CCB61879CC89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:41.277{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99FDF93217BF04407ED6FD8D44454445,SHA256=E9D4DD446EF365C611E9A0B687AA99EBE191F062417BF03955B0D55068E7E81A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:42.980{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474346607FBBF784DF510BABB3627673,SHA256=E304695F0BEE54EEB9F5974C773B65E64B7E13BDADE6C03F45112E414DE32691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:42.266{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC52D8DCA463E8F3ECB02AAE8107D41C,SHA256=C2537187B879977A2387456FDEDEC04A41DE789723A50AD63F36F52BF36739C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047953975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:42.527{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C4891DA416256C6E0F0244D09046844,SHA256=9BC14EE065E2B245E1DDCD7DE1E9D13CE7296A5B0D001E5960095155A85C4EED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030724959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:49.044{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58830-false10.0.1.12-8000- 23542300x800000000000000030724958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:43.287{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B111390036E5AD7C5E6439CD0A672CAD,SHA256=B3AA7C2ADF541F515DAA6604A8669405EB1D03D317FB7B1BE466C6825C0CF265,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047954033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.917{3BF36828-635F-6125-45F4-00000000CA01}19684896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.902{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.902{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047954030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047954021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.730{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047954006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047953999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047953998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047953997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047953996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047953995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047953994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047953993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047953992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047953991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047953990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047953989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047953985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.714{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047953978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.700{3BF36828-635F-6125-45F4-00000000CA01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047953977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:43.667{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46134338E45548C870661A3D0D4C64D,SHA256=BA472353A8CE3818D589EB7BC9D7099D99BC45AF0159B957BAC2EE9888F3D0E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:44.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C180103D8439D50F49AC4ACEF1BE5288,SHA256=C6BE88E550DB72B0F7E3EF06E2B7A84B717BB1964D130CAF95B30C88ADF948FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047954141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.980{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047954120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047954117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047954116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047954115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047954113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047954110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047954106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047954102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.964{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.955{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.949{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439B20FD1C022DF9ECA7750A751D88A3,SHA256=1BDECDC37D41A2706030AD3F16EB70B456EF6D01B2728266DBAB48734FB5FF7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.855{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D38D316B8B3796EA9B272702448771,SHA256=03E6E144AC949E87B07976A06A634C4A2BBAFD50F3775BBBBF3A8CC2EDD3779E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.824{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2668216EFECE8E84943EF8591E2D551,SHA256=3BD213379DA4F12E2393F06FA4E69A602AEE1BB4791FF78CBA5B571071FF3C8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.574{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047954089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.574{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.574{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047954087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.433{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.433{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.433{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.433{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.418{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047954068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047954051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047954046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.402{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.387{3BF36828-6360-6125-46F4-00000000CA01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:44.199{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A01A98B1E4200B0712BE7D8E9D8E68,SHA256=F5F5606DD95BD51EE123CA3F74C7935821F08F6070BDD1D089CC23718B1FA253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.933{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=113E10682D19601DD5BCE9EA8D0D4571,SHA256=517E2417935607F8029163DB010E2D906F5BE758CA909A3BEB936DCFD4279D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.933{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A3E45ED5A42718CA21EE3372C42CD4,SHA256=CA465A0375A1AE624C5C8F60F8E9668F6A7A6096DA01A14AB6D1CA2CADE704CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.824{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x800000000000000030724961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:45.318{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E1BF8A557E5405D863148AD29C74BC,SHA256=0055AB1A7065B0FB2BAAD6EE207EEEB29D87BF7624DA610A8204849BC2E91739,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047954213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.824{3BF36828-6361-6125-48F4-00000000CA01}55642504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.824{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.808{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047954210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.668{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.668{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.668{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047954175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047954171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047954169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.652{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.636{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.637{3BF36828-6361-6125-48F4-00000000CA01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047954158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:41.894{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.246{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E8798EB4B0DFA0EAD56DE7C487C38FF,SHA256=0B43BE541695A83BA6B5743A62A217B056D572DD866632055CD3BC09EC9C32E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.246{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15F41D09E3D32A462D1B0C42FCAD874,SHA256=5BC8B54DDA7861A25C75A26FA125ADB3372786FB7801215369D2817D6ED364EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.152{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047954154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.152{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.152{3BF36828-6360-6125-47F4-00000000CA01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047954152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.136{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E69369FD59477F681B9823A34580245,SHA256=CAAFACBFE2616798109660C7776C6E918A3104A3C83A7FA7E11E0E80638AC4B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:45.043{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43176EB232DC0FBA0DF65DDAC92B5213,SHA256=ACE95991A56012577946C7AB6127888EB60A6726733105CA74068A9B5407CA17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:46.348{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622B38AA3C1BD8C87B7C34F151C7453E,SHA256=07AC7CD2F7996AD4B1994513F319E432E1FE94201DB7B69FAC1C7CAD85308D62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.496{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047954272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.496{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.496{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047954270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.355{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.355{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.355{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.355{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.355{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.355{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.355{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047954255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047954238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047954234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047954230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047954227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.339{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.325{3BF36828-6362-6125-49F4-00000000CA01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.324{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C359F0CD7A239FA9F24A9B768232D254,SHA256=9FD262A49A935657123BFA6CACD6D0C39A3AD300475139EC31A217AF578393B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.918{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E53FE81C33DC2CE356CA8CA9BECFCE78,SHA256=950F41E905EA1ECF81B5E880DB33B4D3EF8FE69FBD3E521B38A7B970DA05C285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.855{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74F2F2FA4198C36EBB60B335CFE8264,SHA256=D956A642DDA2454F5B594B9F1541376A859C0041098107F478272F22BA0BF02A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.808{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047954392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.808{3BF36828-6363-6125-4BF4-00000000CA01}60644388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.808{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 23542300x800000000000000030724963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:47.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA1C8338BFD35CF0FF03091B0D3E38F,SHA256=D1E989855922BB6EBAA87C188216912223A1B8FAAD64BDCB8C10FE04B1F6842F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.808{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047954389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.761{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D4811D3E8A6270EFFAF5C04F920C12,SHA256=8B05C0F22C42FFEF52FFC4741CF6CDA0C2AB71E4CA876D4AC96C3EFFCAA61691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.668{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEFE4DEABF4897A85ACC4DFE5626A6C,SHA256=24D71638CA0F6488D73871B4DB1000DF58A050B8A35F24FC908C209F78383DBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.621{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047954359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047954351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.605{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047954346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.589{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.579{3BF36828-6363-6125-4BF4-00000000CA01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.574{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31445412F3A65E0142756177ED5E80A3,SHA256=51DB9BAFC1CF1684D5536CE11B6AD3953CF288BD25D19453C28ACD2752DE08EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.480{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69DEBEAB3024D1AE133569EC294DCC73,SHA256=632A39D580709FB518EB1E0A0CD8AC553C54D10FCADD00A999647666353F6B22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.418{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F59F537CFD7D2E79204EBD236D41C7,SHA256=AB261CDF52C68FDFDA814986414188A766405C4A93CB7974B307253099F6E219,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.215{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047954330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.215{3BF36828-6363-6125-4AF4-00000000CA01}37244772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.215{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.215{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047954327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.183{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5014FA03ADC428BE423AAEE49E93CCF5,SHA256=995E3C5B46BEC170E6E155AF903FFEED8E14285851E8B7C8B2E3E375A5EEF0F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.183{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338745D087ED493152C5FCE164AFD8AC,SHA256=066A88DCD201A4AC903CF7A266976466043A17D63529B897D2CF884B521BE288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.043{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.043{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.043{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.043{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.043{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.043{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.043{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.043{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047954290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047954286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047954283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.027{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:47.012{3BF36828-6363-6125-4AF4-00000000CA01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030724965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:54.155{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58831-false10.0.1.12-8000- 23542300x800000000000000030724964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:48.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42049CF429787CA028FC6F1253C7E0E2,SHA256=46E1CC73F9A790A5F2186277DE150E879D6590950843EF1EA601F51BDACD5F9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:48.574{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812F72120DF912BC25448585D20D18DE,SHA256=EAC41931184C1F2566D082CC0618B636E7652F404661414D9FDA3D82D2DCDA49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:48.152{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FD78D03FCFF8C5DC00480B3BF320043,SHA256=9C664D65FD08D60D0DF3D652C61F3FB4A1BDA587FC32B1DF2DD49DFE6C9E1CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:49.605{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C4B3B6137E7CA617175A2446FB38FF,SHA256=27DCCB4BC90776D3D0596DF8F3037AEC3D2115420CF811D022E185D0C22B9875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:49.371{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E44870664070DFCD05424B43ACBB85,SHA256=A79D594F12B47F8904F9CC08C8645F7CF5C4A5B729183042060FBEC55F886B9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:49.402{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=272E67E127C92684EA6BC2630D2D600D,SHA256=DDE0E2EB0B6ED437AB9095D35D57D9FCE3C4D4B2F5BB7C977E982EB863ECBBC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:50.746{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FB8B9799D9B6F66020A469AF0261ED3,SHA256=214BECA176D451D1C258535D0B15E660165489EA8E7931123495235645A589B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:50.746{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9271326F8DB1BDC92C97251997D841,SHA256=A08D69D5E9314C49BF3EE989D475569028E0D7867844760705F967AAD576F434,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:50.405{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000218E440FE1D5E8C71964C3691AB29,SHA256=1D3A56E5A17E51A7F0CA66CB90376B3D5718EF6F516627A7FCA61E85E8C760CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:46.938{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:51.871{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54D89BADCD8555084CCE77F591A52320,SHA256=A2E6F19C49C6CCF0E9AD664C452EE080657D78B912C8948D51B9B949F1882CF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:51.761{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F5B9CDBAB06562E1DB7D40CB09674F,SHA256=976182C0EAB7E154F13DCDF132465856C5D92F3503BA8E83B8310B8DD3AFA25D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:51.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CF4C7FA196D34312310BEC22AB2A57,SHA256=26D10889C42E079F1659462AB137522F5147F13F31D82C03C829BA7835ED0D43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:52.777{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED60B3B5F68261F37B1B6AE358DC6066,SHA256=39A5FE3326BB0592546DBD823DFFEEC42BD4B872F88955ABC8400FF5B926A3CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:52.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3E369C1E661B5358802BA6027CFCC9,SHA256=FE91D4408DC07273DD910F108A00709CE03FF4F573AEC5D0B811B935733676B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:53.808{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276094B7E68ED702644861861B4FF3E5,SHA256=1D2292C4062708CE1A154C4102AFD4659C703E2B0C0273DE8BE1018B1D5BB651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:53.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E7C56F93FB576C849197FAA5366AB5,SHA256=9B6B2C265480D37FDF9592A236B7C2760D1FC9E5D54CE05A29E6F935305A6680,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:53.011{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2B7022F4602463DE4D5851900072809,SHA256=16A3BFC83DAC1768FFA8B8A0FD131E4C5041FB8787382A973E458A60E93FF74D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030724972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:59.959{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58832-false10.0.1.12-8000- 23542300x800000000000000030724971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:54.504{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9132089926DCD50F12801BBFBB0BB627,SHA256=2D266BD335500E13DD8E7600C384FE6BB24CCCCBD6053EFD9C8C3D4B45B96E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:54.824{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80C6D2466ACF96C840BEF0FCCE032C8,SHA256=DC8FB585EDD295EADA1DA9C8DE293D3ABB7F919F1D117E5389FF073828B39BB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:54.293{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F775B217C5A17772E83F3CE12FB8608,SHA256=0C08F61E4E255020FC18D7ECC6A02E5BD95715ECDAECCB2CF51D23E01602E08D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:55.842{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159A251160B9078BB6C85C0D0E459B47,SHA256=F0C5B5531FE52AE1DF663FB1FBB64A9FDDB03EEF3DF52A727353CE63103847E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:55.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE45E640DFEBF6C97BF550A265498CF,SHA256=BEA48CF2A937D2E2207AD8C3EE12A82D54CD83A5637C9BB057E6D9076C6968B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:52.001{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:55.544{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91200F7446E044917ACA2A2D86EE04A,SHA256=0CB41945B3216CE3908966D0072116D9397E99ED1AEF1CF38C94EBF781F162A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.860{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39451FACA19F7F14DC5F4368AC220B96,SHA256=7C697468FFE41626C28739EC5AE4D6BF60706975F682C24BD7A2FD8172188439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:56.535{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87751D041241AD60B8F16D1BAC63D691,SHA256=4A5B73C775FBCADDAF30886A4CC433F160D73535EDDF5260D8A1F1CB8F451A26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047954425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.545{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047954413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:56.529{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=064F48F282433C7DFC6A71D5C1876591,SHA256=7E6EC86FEEEA03BE45C2C486E82235711D2E8AB29A696BA86A8CDE3BA7D880CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:57.566{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3CEACC186D2AF6A76448E741398E06,SHA256=4F65D1C4654C5AE620076830BFC3B01373D8F1E4E0BEDBA093092838AD4129E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:58.585{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C6F15EBFDC654988E5520C5DD940C5,SHA256=2E7F6BAAF80E0960CC428602B894C32321003A8A64A3B536CF45B848E77F1FA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:58.019{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6EC3835EC3606C71977D5F0FE0D7C44,SHA256=BA7A24829090B3B5A51C3E7420A109382A465994ACAB011A0AB1A5DC2E8EE11A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:58.019{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD8313B548BA8A71F8BBC5878022347,SHA256=242487EC96B4D7698586DF9648115B506834528A6466A24344B9B7129FFFDA06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:23:59.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB243EEB266810B3B8CB5B0C52955B0E,SHA256=B0F210E955A36E0297122B9F8F773EF3689E696B79FC0B9322DFC932666728E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:59.160{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA66FAB3BFD390F8C5C1532DC0472847,SHA256=39C0663A26B621E1ACA556853A6F66C84BADC16E5F3C18B7E7270136199D4587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:59.019{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0278E11060F34B65F71FC5925CA5AF5F,SHA256=8CD8BE5C5559B585E810CFF2212E0FD663D205F8D966FC1E9EF447CAA859718E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:00.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BF5B97C81B733914E06399EACAAF87,SHA256=B117FE007FCF0B109C292966DFA641FD5864AEDAE8947082896614B6328503C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:23:57.071{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:00.175{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6952ABE46045C5FAD62C770D14AFE140,SHA256=ADBD3ED68281D6D081C38DA08BC7D028145100492307B2BC0F1F82A2B24B0D25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:00.035{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158DE974D24B3340B817F09F436D9539,SHA256=305851BFC7E9FD479340D529D1FD167DCA79BCAFC13E18463F0328F547725292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:00.146{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABC1355561EFF0E7F324FABCBFEDAD48,SHA256=EF3A6B207AF406928D294D81E3BB7D3FE2A70EC0F4453F9FDA322140E5F30CDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030724981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:01.645{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21AAD689687A8735ABC0E0DF36281DD,SHA256=CD5EB2D1CC3D81DC0F96B02C87BEB8DBA8D4108CF2D05F657305211A859891A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:01.550{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B35041961DBFD0552441467A6539D651,SHA256=55A0E9373A7CF10E9E5A885A40AD0D85810782732220C59970B26AB299AD39F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:01.050{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E5F73E58EFF75E04F7D36384DEB773,SHA256=14EC17D66E6A58256D8951623D0792580C47BA4812F9DC187F4257B7F061E156,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030724980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:05.143{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58833-false10.0.1.12-8000- 23542300x800000000000000030724982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:02.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2642A83E5F91D3ADE54F17FC054BC84,SHA256=26DA4B0EAE6D7E9649293683E182DACFD9844AB9D5BE033377C4E54E124D5D07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:02.628{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC5FED708B0C92E2EBB2C0D9E0E0DDB8,SHA256=990820EBB7A215FEBE70DD744B3D67FE1499E769927994719202CDF0AC413654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:02.050{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4029E1C89A7F1B503E81D2B987436C,SHA256=F027E1938102BB7F0C2E0E1B25C3B1FE620341F2B30B1D643D57AB34CF224D99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030724991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.861{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6373-6125-5800-01000000C801}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.843{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.843{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.843{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.843{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.843{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6373-6125-5800-01000000C801}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030724985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.843{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6373-6125-5800-01000000C801}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030724984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.844{B81B27B7-6373-6125-5800-01000000C801}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030724983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:03.681{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D353B4862855A7E48970336168E35AB1,SHA256=1A7652065807B6418ED81650A22ADDFE8531610A50CE6AF69A01995E4ED6BBDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:03.879{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E54D267BCA5D0E2BAD1D0BB097915679,SHA256=960AFC06AA97654446AD3B6F6B08BFFBA7855A8ACB7E6ABD59CB12CBEA73B07D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:03.066{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B88914DC04C59E5A8924C8ECF9B06D,SHA256=5B59F8CF05698E8BDA98A38FBA4EAC06AAA16F121510175F9C51DCF0C69B3452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.852{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96BE8E4F0127D62A515CE1ABC0B39E1E,SHA256=6095E09C36195E153FECC95B6CEEB10BD17DFB4FA5749818C54E02C2FE499A00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.852{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8367D34B135919B047E262D8E431ECCB,SHA256=D86126728D755A06B3EB77BCE7C8651C9A09FC998C031417BD9F91F969A292BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.690{B81B27B7-6374-6125-5900-01000000C801}60804132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C24CE00813197835AC3943CC2B29F8,SHA256=A5D3945C95A9CC4DD4E88B9F6D09C512FDB38E52B9A586AEEFD0ACF2D73A50F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:04.082{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1587CCF779A1D46968732F5CDFFEB1,SHA256=2053C5F982CD9AA0696A7252A8C0A3542A165572391D1FDA40B11BCCBCA2125F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030724999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.553{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6374-6125-5900-01000000C801}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.553{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.553{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.553{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.553{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.553{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6374-6125-5900-01000000C801}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030724993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.553{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6374-6125-5900-01000000C801}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030724992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:04.538{B81B27B7-6374-6125-5900-01000000C801}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:05.736{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F1DB516D62A6C9BBF95D1C433E4AE9,SHA256=CB36ADFAE6F79724A8AB67887BBD8803803AAAACA216F3286A818FD16013EC40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:01.790{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53748-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047954443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:01.790{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53748-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047954442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:05.175{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBA203C1E2967438CAF0E396A5A6627A,SHA256=FF075B3EFF5448B615783CD18DA9F309EB0B621D087955EB99D6209D30D6ED57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:05.097{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365CD745D3BCC82F14B970AD9707E7BA,SHA256=51643F2018EB2192BF1DB2ED0A9432A56F9AE62101E2EC9B5D894A41E81B6D42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:06.751{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB974D057753DD32DC409BB4E398642F,SHA256=B692A540058412453E8548A2F4BD7C0FB3F21A983F7AF8B94D43BBE18F2D4164,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:03.071{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:06.472{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C11691E043BFBF204026D04FC206CFF,SHA256=C73CA67BE721B88D9A810916F1730F4EACDF538FB81CEC2C0AAAB141C9539F88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:06.144{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D146B6C38B4637D07D51DE79A7BCD4,SHA256=7774FE48ACB9927903740E3C09757680A3AA836FF4038A6F02AF9813BA9B158B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:11.132{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58834-false10.0.1.12-8000- 23542300x800000000000000030725007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:07.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C7AE0E1E8BC9405F91859522A3AB2C,SHA256=0043C201730BC3F31E8E0F2FAAF00FF908519B00953B27F8C3E2F95723BC2A7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:07.800{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5195FF4D0FD6045814355720D6C7AF16,SHA256=E26DE60977F9A9AEDBE961587F9B05B113D90B0D340EDA6A40CCB57DD3919200,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:07.175{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E889F36769FB00E5F351739E9540D9,SHA256=BC6A6D3E1EDBBBDB18EB069B1E2BFCE9592A246886653E9F14CAAE67AEDA92FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:08.817{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0553D591DE6DC8DB346E01667B8E92,SHA256=D7A3C79823257DA54D6A500A07D3D0A685ED1262D35A75BAC3F6D20D2A704681,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:08.878{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1829760AFA68F76738B379CF4D9B9A5F,SHA256=DF36A28DDCD2C0962B2648B3229C9B85E2A837CF994177A396F1B953B4E07263,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000047954460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047954459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fca3326) 13241300x800000000000000047954458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79925-0xfdc60f75) 13241300x800000000000000047954457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992e-0x5f8a7775) 13241300x800000000000000047954456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79936-0xc14edf75) 13241300x800000000000000047954455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047954454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fca3326) 13241300x800000000000000047954453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79925-0xfdc60f75) 13241300x800000000000000047954452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992e-0x5f8a7775) 13241300x800000000000000047954451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:24:08.503{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79936-0xc14edf75) 23542300x800000000000000047954450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:08.207{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE78159E93FA29ABF361CDF3F139F803,SHA256=2C3E833626971EED04A2B09835E1FC1E4497F995D5DA37861640998CC8C4E321,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:09.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885434D8D25760B300EE4729B5978FD0,SHA256=48A81C871C9F65F151B964C93769539E9B29502747243D03C04E147477B9F1A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:09.222{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DA7D83BAE0FD487ADA3D83946CB668,SHA256=EE0527BA8A8FFF63B2A2C54E3BD738841E1F72EA67D6B7BBE98A8B40DDB3787A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:10.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB28430C7B6CF4044BA1E22D92BE3A0,SHA256=7822D13212CC798BA5110B2AD5F5E88D07E12FEBAEE7A8BE22F8D64E63930226,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:10.394{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F823DBAA96E02147E3408180CD9E4829,SHA256=C094700AB54ADD566F91986840A97C13143FE9273C548B82E5B1126D4E9FDA78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:10.238{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C7796785C54643AC97EE0B1E721DA0,SHA256=F8DBD09EC528A9F27BBC7D5207536C2BECC36850880519AD3B849FAD2990E594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:11.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54191361D536991455C2548FBD754BDE,SHA256=AFC16FA80908C81F03EED3D883DE54F912D72178E16BBF16567D622FC4F5CC58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:11.519{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:11.441{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32070149A062C26D7E94E30E5B625F96,SHA256=3D03C2BDD07739364B287CA38D53291F4CDF7AC17CFD206306B4515FDCABA77C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:11.238{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A866F93B3AE956DE3E66A46CA058048,SHA256=559AB2B3ADD27E36348F3332DBE34FC90B758DD98FBA0D2CC9D2A98D6811B6D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:17.111{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58835-false10.0.1.12-8000- 23542300x800000000000000047954469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:12.550{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37BFCA429BAE431206D3571D845E697C,SHA256=A80551BB24BDEAF3BF394CBCF7180057D30998F537D6BBBDECD607B25856DEEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:12.285{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D648787C5E07C72ADA5857784459E7,SHA256=4DFB4877BB926FEF6A584BC0BFB44703999A92DBF5B09BE179C2FF39F4483C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.512{B81B27B7-637D-6125-5A00-01000000C801}35083340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.328{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-637D-6125-5A00-01000000C801}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.328{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.328{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.328{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.328{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.328{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-637D-6125-5A00-01000000C801}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.328{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-637D-6125-5A00-01000000C801}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.313{B81B27B7-637D-6125-5A00-01000000C801}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:13.062{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B487CA1F36273AD9F484772C69E007C,SHA256=0F9F2BA782E7DE3017E5CCDE25001927F104E19FD8ED51F078114A39CC700DE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:13.832{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06DCC9B469F7FD1A7999F6EE8C385AB3,SHA256=29190E018F7E7E63C6D22BC518299C4349AD99E4B104AF23B940380CB7777FF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:13.316{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B961E580B5132A27111F3F4434EB76B,SHA256=140BDBDB39680866DD3BEEBF0191F1DB4E67FEB387F70BA7F5A50171C7B30EE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:09.352{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000047954470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:08.946{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:14.332{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DA06B3B52C6BDCB00C6B2D0F8C9B4F,SHA256=5FE68F0C6632C8EBBB288CC3B6FA49C8E23BCA0EE2C3161192F4A170FFA883C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=827C662D462F33B3F6EFF1389B581F68,SHA256=042393744E87C8E5A91AB5A1C1B9E5A09DD8AB7BD403E0F44AA6C72D4E598718,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96BE8E4F0127D62A515CE1ABC0B39E1E,SHA256=6095E09C36195E153FECC95B6CEEB10BD17DFB4FA5749818C54E02C2FE499A00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA87E47F065A00F198134497807C3ED,SHA256=52F5F5FCDE3584A51693464C80A2BAFDAE928CBA16229FA8C7F19F7B5CCFD45A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.027{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-637E-6125-5B00-01000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.027{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.027{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.027{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.027{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.027{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-637E-6125-5B00-01000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.027{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-637E-6125-5B00-01000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:14.012{B81B27B7-637E-6125-5B00-01000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:15.347{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301ED026197F0A36492AD9FCE552A22A,SHA256=E01B5735EC5A8F35EE2EA57B19B114082B5DD911DD0A3042F2162E71B8FBACBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:15.126{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4A87C06FADD4794DB0FF5845708DA0,SHA256=683C8DF13CDBFB93667CAB28A9B4E07934F7DFEBB8C89574789371E95DACF188,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:15.222{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CEEFB4B25E5935BFA04E35E6B095A4C,SHA256=9A53F639FA963AD8563F9EB505BD239FF3194E5EB804CD72C5A66D2B38926286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:16.465{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=008435A298B25912BCAC4B1DA8B6F69B,SHA256=914E5E250373AF47CEE23A23EC0DB852B9FDD375BCAA1585DCF279F1077DC6DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:16.356{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266962D53A0780868A19D218788A58B0,SHA256=BF86F3C82EA74E772ED59FD2496B65C6B3B0A1AA3C8585102CF95A1C20B36DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:16.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D2626DDD87FE6B371E6EDF162C7BBF,SHA256=B7444CDB5CDCD6F76DCB36778C4BF765F6A29F3D1F0270D66AA469DBB9399776,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:22.183{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58836-false10.0.1.12-8000- 23542300x800000000000000030725036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:17.177{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6DB6ED4C647D8BCE440F61E2220C30,SHA256=985844FC856328F4AB71231D0403EF79A10790F29C80AD117B63F53FB2106FE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:17.700{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA198D127AB101B79B83821BDFF28FB,SHA256=5FA5B4399E2C37479CBE673DD2583AB7D4961E382B1877A04B45667E624CF45E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:17.356{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27ED225850BE86F29F31502F5F1B3051,SHA256=585F0EE7CAA86EDC68A3CDEC2CEF5684050CA5808C20C445CC5E4C28210CEAEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:18.191{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEA80E31712B88418550CAD9201BCD3,SHA256=FECFC1273EBA8BDDCCB5BE273B1D515592346B83DA8303EB176FAFD2A4A6B756,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:18.872{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0DE9131C2EB79D098CE31DD730C9CC2,SHA256=7ADF925FB3AAC84D0E2B8C6F0F1DCECBF63E9A6C3AB0D6826F28CC38BAF2432B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:18.372{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9619B9F15CED277C5C39D44C89F99F27,SHA256=35C284D0730227F76AE21B1AC7012F312E888C57E73B4F750E40B825889686AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:14.048{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53752-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:19.403{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D9C2E081DB6CAEDD7E4EF2DA265524,SHA256=DB5A011F8EDD48623B88DA3BFA676BAF5AC0E6150E5A572410263F54680FE5EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.958{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6383-6125-5C00-01000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.958{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.958{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.958{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.958{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.958{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6383-6125-5C00-01000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.958{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6383-6125-5C00-01000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.953{B81B27B7-6383-6125-5C00-01000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.454{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.453{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=8C0D5B49989CA4193B604DA9D89EF16C,SHA256=89E1B72549A9FE16AE71F144D8F5C570DEF10A746B205BE0A969B3D624490049,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.206{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71C88CAA9E5B7E328CA6437D18A5C1D,SHA256=9FE51286D86CD30AD9B625935BF22E866E1DB37835529165A7CC8E2459EB3C5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:19.174{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:20.418{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A28301B57037882700D89711188C650,SHA256=D488B7607D81F48D9A3FE7564B1897EE068CEB7309DA9BE19332F412B185F64D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.962{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=066E856AB62B2E607B2256A1DAE78577,SHA256=C353E89C36975E7F3A7EBAF23D8C3A1A93851AD8AE215325BD51D7CCB60EE0F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.962{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=827C662D462F33B3F6EFF1389B581F68,SHA256=042393744E87C8E5A91AB5A1C1B9E5A09DD8AB7BD403E0F44AA6C72D4E598718,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.828{B81B27B7-6384-6125-5D00-01000000C801}40365336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.654{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6384-6125-5D00-01000000C801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.651{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6384-6125-5D00-01000000C801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.651{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6384-6125-5D00-01000000C801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.636{B81B27B7-6384-6125-5D00-01000000C801}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.206{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F79FD826816757E4C148E8C0DB91553,SHA256=6070DCB8F7805E468EEF4C4BFA2A3FF9448A54A80AC394F4C4EC49AC63BC6755,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:20.403{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=59382F7474B495968D67F3A7B0FA32CF,SHA256=AAEF44FAE30FEF5258317B961262933810E79178C294498A8902BC1F4F772D63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:20.090{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89C43969C04DAC31849222EF47585EED,SHA256=FC2A4D987AAEADFFAFF2F0BAA7BA3463A5F7FC8194158B0A830921C8094B8F7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:20.153{B81B27B7-6383-6125-5C00-01000000C801}24644316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047954489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:21.590{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B8E7B1D8A4336883A47BE400A3B07A9,SHA256=7412CFFA3C43EAA9D591EBF6CEBCDAA255E64D5274B94AFC30608241C3AC5CCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:21.481{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B2D93E70BFD9806D850395564A42CE,SHA256=5A3C4C763273FD85701F78D71651479D24CA985B7D6BBB3C37085CA71B682B6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:26.080{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58837-false10.0.1.12-8089- 23542300x800000000000000030725064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:21.228{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5492EFF1A5F1A154F90708868938ADA7,SHA256=66D9BCEB47ED27DEE52701EA429BF8A7C810A42D2FABFE7E9B191B67BE6EA176,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:22.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D62338D7911D28DE0D649C950DF3FF,SHA256=96E9557A3BE1CB91AB13379BC1E0DC5F4A840EA34D3BCE9521AE4307A468570D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:22.965{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33714907BDD924F5593DD605BAD3682F,SHA256=869939341CF6D1946812B69C521529BA47B65D6B4FD4E35F18AD261A1B1350DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:22.497{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB8AA7C85C0CC1918703D2E2815CF5A,SHA256=92B3406A2376B4A02542B449FE931C409D6174A44F4CA4414E53D08760D556BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:23.559{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70C9A51F89AC646BD217773671EDD84,SHA256=D25C0E46279184E0C68B63AD64B52C07EBDDC3514292F0BB702AE7261B64412D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:28.108{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58838-false10.0.1.12-8000- 23542300x800000000000000030725075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.294{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A37CCA0525BC05C6B354CEA74FB7E5,SHA256=0C8D9EB3B4C51B52B3230166D0C08373F7178AAEBA12E4FC8990181FAA002C20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.110{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6387-6125-5E00-01000000C801}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.110{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6387-6125-5E00-01000000C801}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.110{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6387-6125-5E00-01000000C801}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:23.095{B81B27B7-6387-6125-5E00-01000000C801}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:24.575{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F3CDDD81BB2F8DEC1735DF5F27D5DB,SHA256=22840CB922141E74BBE6C1C70337EAB1DB40F50B3265C6BFC0FE4CA8A4FE60C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:24.309{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE22F9B28E77F1F85AFAE801ADE56ADB,SHA256=7F260631812D00592F1FAA518FBBE0B464FBB67D18165860CF8E88297D6D7CAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:19.939{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:24.043{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22FFB633D4B289A9ECC415874095F9B2,SHA256=3DFAD79999EE3DF6DDA52761AAAE1A752AA53D59E77657D6989EB991EC8CC370,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:24.109{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=066E856AB62B2E607B2256A1DAE78577,SHA256=C353E89C36975E7F3A7EBAF23D8C3A1A93851AD8AE215325BD51D7CCB60EE0F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:25.575{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E297E87C42323C045AECB85AB76AD82E,SHA256=A477E6EDE58837471F0087BB86B61DCA4B1201BB623B06D016A04B974E386A91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:25.311{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986825E38BA1EC03C7146BD4C375B635,SHA256=94A45D88FBDEDB29C9CC35E6F2594173E89A784D0CC34F08E1C43E400A268EE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:25.278{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC544A2DD864FBE825ADE4FDE7E79F6B,SHA256=F535286BE9E2C0E60B8920A46B6CBB0CE6D57028E15A26EF66D0ED8F20066741,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:26.778{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4CA6532696737C22DAE9012A2BC65B5,SHA256=D0AEEA37A5181F3A42F606525E887D93FCDB44BBBA402BBF807FAA6AB052C2DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:26.590{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFFD4B18B83A087C5B708F68012CA89,SHA256=99B2BEDA78D3B5BE9E61709258B428F3B6823391411747F88EFBC8BB7B853F5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:26.340{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43149FA9854772B6B1AFA5B027A9B758,SHA256=F48AF05FAB542E42BD686FA4A091384569139C32E1EE516EB99AC1D70483D33F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:27.357{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155DADC3C846B0E9B79A82430F73A529,SHA256=181E6677F6235C3E35FF35A5B5F82D69E04CF7129D46D7DAB709FB5E885B2832,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:27.590{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C2D982D7FBAAF8E03D180F22C355AC,SHA256=5D17EE89781CD7CA43A0675787F37CAB7B0E1FE88692137B89161CCD6D281173,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:28.606{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4CA10AF0AD19024668026DAA15D3EF,SHA256=3035C158A402128E528FBD9BEA36113BE4B6DEA6116DC7472AE274F2BE484454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:34.003{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58839-false10.0.1.12-8000- 23542300x800000000000000030725082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:28.375{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E775A15ADE7282E5F0618B42FA2259,SHA256=C9F3DEF88E968636FC9987F547D0C78AA7DAE22D29588B97F8AA683D3C4C09B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:25.000{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:28.028{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71EA4B9DC643F58CE82EE68C505A3E5A,SHA256=C84B1A8F0BB8EF06571F4BA44F3EFCB00A85DAB9B9AE1351E455A0A5380FDAEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:29.653{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6184699EE11ABEE0DBFE59FDA75D993,SHA256=39A5B9546F4EED50778F21777F16B30E12E0721DC11482374777AC81685B1232,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:29.390{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A54FD084F0E5179D64A5A83D783556,SHA256=4B1A1A5ED48F05FB884664954664F83FBA034691FBFD254A9DA5E63A7E250C31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:29.059{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78697617B2E822B7F3633ECA1C657D17,SHA256=DD82583EC649C6BBFFB47295CEF9156ABE50CA677431E0ED210A8FA0791A25E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:30.684{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246A3B263546D10F33D8AF51B34684AA,SHA256=BCF976E7D8421E5BC01FF2F5C40751B60D4257EAE1F6CAE8CC152D392F21DA43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:30.436{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388C911D5A9A4E06F3E44F22F0659198,SHA256=C4DA46A087EC5C3276EF23213D2D4F7FA7D2B027219EEC50BFDA0F2FBDFE52F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:30.528{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D93977B41F40D9B76C0AA2570BA7C55B,SHA256=8A58035466DB5DA7A7BEEC3DA7F3273F98C84D8D4E09F9E1E0B8E29A3A335450,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:31.684{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEE99B2BA65C1AF01501DBCF4C58D53,SHA256=3FF123F1AE5A4800D9ED6BC30FA639CF22D9EE6F877F406D21D8FAB194314A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:31.453{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11F36AB3F6EC7D86CE9997E31D5D235,SHA256=F2C4A45AAC3C019A5257E2A9565E0381007274187F0DD16C22F2E0EF2837283D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:31.575{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FD37091B5940A911AAFFF917E13161A,SHA256=C69C9682E5BAF8B158833A90916ADAB3A175881C89BB278F273FFC278FF1B13C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:32.965{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97678D6D510693B774EE7DA6A4C49D87,SHA256=4E816404386027540B036CA1A8EF9941577A08A6F875BE6E6F8DE82907D16624,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:32.731{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB4C8F75B7E530D6F34CC29404992CA,SHA256=585455D9D770F0BBA3A528D9FF9000E7368DDCDA0D9268591E34FAD664D57B52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:32.456{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E966168DBFB681463D6E509CA4741C74,SHA256=D5864C28C02967FC3BC78B74B7F69C5015DB28B17FAA9EB7BE0A4FBD194AE92E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:33.471{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465E184CEB6449ADFB5B3CA57938DFAB,SHA256=11CF5145829633A85B15F0FF68E6DA2C32A27B13C581E568763642BF38D76D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:33.762{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34D152C206BF2EA0D271D9222F42D36,SHA256=FAE857759D4928B882105F1EF3205E405166D2534AB9522A176610AF0F2466E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:30.095{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:34.778{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DD54D7056AA28222AE7AE904A2BC1F,SHA256=69AACED78BDEC82ACC6865568D1F1BB414874BE9B05FEDE391A62BB61F466DAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:40.013{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58840-false10.0.1.12-8000- 23542300x800000000000000030725089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:34.516{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A35E8C0BFF2B7B955FCCC60139ABE2,SHA256=BBBC6E0AEF024B3F96AE1E3E2D4752E6E13516A2172F8B4C2673505DA460604C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:34.090{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96D6709EECF20FF897690DDF90D44318,SHA256=C926E6EC38AB87BDF927D7934D7D519B3324C6F03690AD6BA943C197DC003985,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:35.781{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71945C7A768E89477534C8E891A50F9,SHA256=D776DB9CBA7A3495D38D8455E29E4C9A835D6B7190427696728A900A7730E880,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:35.530{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B99AEB374E356062B4D2DCF99EBB572,SHA256=F8C6895C5012C1393A67395DBC76B01880046ACB12C54447FF9C18651B37E6F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:35.184{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F2C9033B5B936FB247E1BB985AE4540,SHA256=27BD8BC1DAD2656995A304B2B2CEFBB567E0309F565FE7DEA46C129E2AD5E9D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:36.813{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA1495AD8525693552AE4106565AC0B,SHA256=DFCCBAC46709CC68C62802A31B1F43B91D83A3A281FBD57B7626C4EE9F1350CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:36.551{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B49E1C16A090AD42E635358051A83E6,SHA256=8610E36B873C015827973DBD1D05C2413E9C5D9F19E72DE0CD25CA438B3D2173,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:36.438{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893377136B202F07E475BB90CAB0A3CF,SHA256=0479D06CF34A048AB6ED7825774CA9ED612D35E115D1348D44DED8B48164ECD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:37.813{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C101824B502ECA9D4A69443A46FAAF,SHA256=40AA43747CD117D082795484B4152F31B375B7276CEA146DA648BB1200E0DF57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:37.581{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED09077D0215C4BAB04A284B36ED961,SHA256=8AD456C8839FC59D6EF3016EA76DD00461CBB9F9162DA1AE5CF75D96B9238CAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:37.703{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89467F2E0F0AAF1DE4F8EAFC3CE36181,SHA256=BF69492056EBBACAD0F954D2AF3344B088ABFF8CD6F33C250695D78D77AA755A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:38.828{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C28609A059BBD34B00696F184819D8,SHA256=980ADC39A92814F73CCDAA8A2F8D641D8680FDC6F7D952539B544F1F5D754B58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:38.612{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92281B80C7E4C047D601054373B51D93,SHA256=6BCCCF0E0D922B32627F4A2A323C0A0F47F1B1852A8D2530233D96019576D118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:38.797{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CCF47C59C802C608BCCAE81540CBC8A,SHA256=DA0B3A31B87F1DF977E3204866E6E65779D87BEE8E6093A289255EA031E79A5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:39.953{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CF81F54794442C51EB6F704970F059,SHA256=A5FC658C4B9853BEE4B57D001BAED49A050511D5A9EE607F853798E911526178,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:39.648{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15382D2C793717281E0D1DEA86A4980D,SHA256=C0209F0B7A3098045978509C2BED28A7E9EBBE50D101E0D6855F90278C8BBA3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:36.037{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000030725096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:45.092{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58841-false10.0.1.12-8000- 13241300x800000000000000030725095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:39.165{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7992e-0x720bfb0d) 23542300x800000000000000047954528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:40.953{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19500DF98DBBFC60FD0346E85096BEE1,SHA256=55E512E3E142DAB06E7E74299EC90B79EB7FAF26D59D8D456315C90967A0DCBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:40.666{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC582CAC469DA05FB6A8F9249C3B0FC0,SHA256=CB2787F803775E9A6B112581A4A6E6FB1D344486AD1FA17E11A7B8B566F57AAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:36.993{3BF36828-401B-611D-1100-00000000CA01}396C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse10.0.1.15WIN-HOST-987123ntp 23542300x800000000000000047954526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:40.156{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9BC327E28BE90469E4FC6FE6E4F9610,SHA256=6F7037549677DC5FE7FC025BB16B0A70DD1F0AE5B50F68280FCBDAE0DE631ECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:40.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B908340695114D894721C82C23DAC065,SHA256=1510CA2F32205BF4BDFC56DC3880566A99C2360E0FA631036A60BC8F0BEE4F3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:40.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0095754DB7F26BC67B93EA958D149EA0,SHA256=B6C4DFCA8BE4875B1E18A6A1590171C7F59B9C744338E93AF24AEC616225CFD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:41.969{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29288EC41AB77B51D507421ADA32E9C0,SHA256=0976C76652A7999F1A634D80C73FE31FF0741D16112D2D92420ABD823E9DBCEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:41.712{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D00F5A07B7E5F8FA4C9DC4545120C3,SHA256=F2A9C821CE09350AF2D19E2DF71CC52F834206FAAAA765C0AFD75EF9A0EC3797,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:41.547{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E89B3830C06C4E2163931085C49A8444,SHA256=DE7F32BB2084888DD83ABDB04C3F94247FB3D7CEEB8D82596AD428334FBBC95C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:46.069{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14WIN-DC-128123ntp 23542300x800000000000000047954532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:42.985{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834EE39BC1838AD12B64BEB5902513D2,SHA256=2B96E0C5BDC3CB7647EF4743B30708A1C29A6170E89875BA6F450AF834A2AA52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:42.745{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF5F6F3AA1FE5BEC959AFEB6B142A4C,SHA256=0A2BF35B25C147D42DD727B573B396527A94715BC586710401251B27F367BE50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:42.656{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49328DC2AC41FD2211257E6726441230,SHA256=C6D8A7AD9CE2C28D31AF12A54546AA318E3258565640627AA8D64822183AEEC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:43.763{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27A429E1F48B60966F25D9DC17A44BD,SHA256=8195B07350965939306624ED6955B18EB64D19234F7CC948CE5D41E56149AF3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.875{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047954588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.875{3BF36828-639B-6125-4CF4-00000000CA01}20443024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.875{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.875{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047954585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.860{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AFFFF91FF8B0AA4ED76DA8A7BB784E8,SHA256=3977B3EFF790D56670B5459E0B4161741C905D9E5D98BAAC403F2C75D1EA34B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.735{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.735{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.735{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.735{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.735{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.735{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.735{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.735{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047954549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047954544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.719{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:43.704{3BF36828-639B-6125-4CF4-00000000CA01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:44.780{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDFB460C6E0250A352C422D9E1B9E97,SHA256=B1EFC82E93B1BCB3E3DB41B0A74D728C3C1E2E6C63AC61EB80ADC0B60E4EDD08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.563{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047954645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.547{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.547{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047954643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.422{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047954608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047954607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047954602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.409{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.392{3BF36828-639C-6125-4DF4-00000000CA01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:44.203{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C869BF8C0D55D4C1A11F65A6D2A5E853,SHA256=61FB4D26AC64301E2035B5A92680F475BD5CC8A8E238F938CC1C54DE9E32A633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:45.795{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89902A7730E3B03B0F4653A8C494F1FF,SHA256=46E135FE79DC76F6CF16547AA2923D7FFCB5944045D14B3B77A811A7FCCD87D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:50.153{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58842-false10.0.1.12-8000- 23542300x800000000000000047954770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.969{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFBCC55EFA5CFEA902E0409B3E4F4AD8,SHA256=ADFE6EAEF5EFC8FB6222DD633BF4C071242161ACA3A93D249C594FEDB853087C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.906{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BBB3C9A86EF2AEE1B4F2E4559403C01,SHA256=5BA58FAA586BCD21F5D1D8014AD407ACA1F1CF8FC32F91BB674BD2F622A21EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.875{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047954767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.875{3BF36828-639D-6125-4FF4-00000000CA01}36925964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.875{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.875{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000047954764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:41.927{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.813{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A940AE3C22EDEF82CF9BAD28CF007074,SHA256=2927BD960A1AE02DEE16E9FF05D4AA9F7F5874EF991D4A218BF3FCA53FB30055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40FBBE36D62576D8F670E308CC55958C,SHA256=0D86FE0636992D072E3A7ED14F43341E695248F305F0C03810039276A137E816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A186B7D73DBB1F2BACA2927ED39B9D,SHA256=23A759C51FE07FC8DDAB1BDADD31C73519A45656DF579FC7DDE0959A6AE63C15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.703{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.703{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.703{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.703{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047954725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.688{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047954721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047954718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.672{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.663{3BF36828-639D-6125-4FF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.656{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D308CC7327E4C1F5CEB4D2C937163A38,SHA256=4C73695D3A61BB11DC35FC08D527D4F5DAED5DA2552DAC722599FD18AF076B0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.578{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F58999EA6E4FDCBC6DA65F4B720ED72,SHA256=D334B4B6422E24BD341D6387648C43EC560EF76B9A1278F0C21BE553BDA657DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.406{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A34BA809CC134062CD25E76E126A51C1,SHA256=BB187D3C78344C4B533E09CA369BF759260145D6B7D99FE8435FE92CDDDDC3FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.375{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B74EEF221625EB26A1A67B847B9933,SHA256=3287AFFE6B4F27C4D7A2888E2FA7F3DD43CAC3D418B5F17EC490F97264CA93F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.328{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6367EEA7F423E0374EECFE0CF7BDD651,SHA256=D84E5349FA22618D7F1238B537220C2081C204932F21D5A96F21FFB57EDE0171,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.328{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F39DBD6BEA12FB065336C3F144A98C,SHA256=30C0CE5BD6FC82C01EE2A2ADD87FD5D8B08D429C60AEDBDE748A9794A2FBD9FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047954702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.297{3BF36828-639D-6125-4EF4-00000000CA01}1723656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.297{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.297{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047954699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.125{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047954690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047954675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.110{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047954663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047954658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.094{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:45.079{3BF36828-639D-6125-4EF4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:46.811{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3150CB8C3A2507E2D3B7278014BBB574,SHA256=5D9DD4F564AFBC33E68E6F0FD9658E0A5E0701712927332E0B45AB7736F45D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.891{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.891{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.891{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.891{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047954877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047954856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047954853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047954852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047954851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047954849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047954846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047954842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047954839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.875{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.860{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.860{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047954829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.360{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047954828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.344{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.344{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047954826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.328{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F7E857ECA13170D5A23427A6F08957,SHA256=7620AF595E6AAEA6926154803B6CA962F2DB23751C69493E22694ABBFABF534B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.235{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C69D6CCE48A96D07A41A7F585F7033E,SHA256=E95BE012BD02BA9FE998F392710C013055C1B4755BD9EEBDB76229F8FC3E04E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.203{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.203{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.203{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.203{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.203{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.203{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.203{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047954809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047954792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047954788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047954783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.188{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.177{3BF36828-639E-6125-50F4-00000000CA01}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:46.172{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D80620C829A325D03261800AB9DC89B,SHA256=A4572AD9A8A9503F8805549EAF3630E12C044AAFD762ED688E58AB55BB6EB01D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:47.863{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C951142C43D77A2B3307800C43644760,SHA256=64904152E45D8CDDB00E3C74C84D941D5AC79B184DC9BC78050DC92241E7614B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.563{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047954950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.563{3BF36828-639F-6125-52F4-00000000CA01}46362764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.563{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.563{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047954947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.422{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047954946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.422{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047954945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.422{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047954944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.422{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047954943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.422{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047954942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.422{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047954941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.422{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047954940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.422{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047954939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047954938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047954937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047954936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047954935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047954934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047954933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047954932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047954931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047954930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047954929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047954928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047954927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047954926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047954925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047954924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047954923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047954922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047954921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047954920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047954919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047954918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047954917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047954916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047954915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047954914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047954913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047954912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047954911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047954909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047954908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047954907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047954906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047954905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.407{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047954895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.392{3BF36828-639F-6125-52F4-00000000CA01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047954894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.360{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA519A4DAF3A26895B40B613DDE8CEBA,SHA256=B8AB186FB69DF93AF02EF9CECB3BD4FF8BBFE8E0A87664D826CC595A1D54F116,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.250{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4593DC6571A9B2F3CB570C1894FAC6A,SHA256=E04514531EFADC35888B2FFF23DE6CE3E0FA65FA79C80B2D4B00F7DA564D20C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.156{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDA05D4E7151836276901748A2EEF4D0,SHA256=848D4B15EBFD2C95F6385EA4E60C9453C838632D942F531521D6CE96BC64BDB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.047{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8271B371AAE925C835BC884683EB073,SHA256=4A1223718844028F658A392BA71FCC8210FC15BEFCA86A5248AC348AE6B3F302,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047954890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.016{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047954889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.016{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047954888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.000{3BF36828-639E-6125-51F4-00000000CA01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047954887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.000{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7A0B7B277DA881E52B622ECB241C89,SHA256=425DD51914C2440D8899C83DA06DF4ECCD4A97E160BB27FEA8370482D7165D0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:48.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B39A3F89BB6BF3A5E1AF9F9EAD214D,SHA256=713308E131F846B50317FEF19F779B8C2E4CBDE3CFA79AB938A87C619C31F4C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:48.594{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B094956C2F7FB94E41608954A2AF3166,SHA256=8900E908ED875691C416FA0D1D1AC5EE10894C5E49A5CB71A0483C62243E19DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:48.531{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CC6923E871C580537E04F51736C409,SHA256=D48EB4ACC683F9EDBC3F1A6B4C8A898EC39D9CB2A0F957799458605C0B0B15BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:48.531{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A4ADCBF691358459D31DB5F96CA663A,SHA256=A01178AE719A40F7CC09C4B3A204E9B567FB42EFB59F364BBD4B27072404F7D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:49.940{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B371A1CCB2245DEFA05B2A500CB0FC4,SHA256=FB7CF3ABB28CC5600BB9427CDCDD80FC05BD47AB401DF58CD8A8076214FE41A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:49.828{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95C29D9FC659D59335538A954687867C,SHA256=879C98F32154D1842978FD6E534D783528535C61C514A8366876EF78801BE756,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:49.578{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845AB36C11F98710FF61BB9B43722E49,SHA256=3137759707AF720AB823F90129008675B7D9CD3C6DD6B96713E8873FBC79AB25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:50.969{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE44C44C0926579651ED4D2B2F17F6AB,SHA256=F35074AAEE1AF4A0563FEC4FDAAD6E8C960A6FB75342E532EE29AF96FF348C1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:50.594{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E861851183989DECDC1840DECB3B0B80,SHA256=0F19672627AD3EAD0409FC4BB8CBACC17363F395BE523F6F552CD27232BFB20B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:56.088{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58843-false10.0.1.12-8000- 10341000x800000000000000047954978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.922{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.922{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.922{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.922{3BF36828-4019-611D-0B00-00000000CA01}6285276C:\Windows\system32\lsass.exe{3BF36828-4016-611D-0100-00000000CA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000047954974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.813{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047954959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:51.625{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15C8B273E8EBD87186FBB31256E9657,SHA256=4BA22969658F980DACD257629D1B803354C33211D3854CA112B9DD9482C99FA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:51.006{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0E6EA522A8A1A67327F44A95ED01C1,SHA256=C690060C23C97DC1C1B02641644420EA58B409AD1A22F3403F7CF1556473F30C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:52.657{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84687632B62763E7CBC0770870FA23CC,SHA256=2E288D9CFAE3748321569576A56A2D8E33C5212A9CBDAE279EBE704DBC7B7F3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:52.007{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F630EE2DB630256609CB54241F904A,SHA256=D6BEDAFBA34B291184B500BA73A2D93CD1723A082193B1C0151444815FD69346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:52.110{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4D98E43B4F8886BAE24EAE2420DB7CC,SHA256=24451BF8D1F846EAE6839B5D82A07301CF9009D2E6D1134CBC6E9DD5929226B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:47.880{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:53.875{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDACC53A18C3579B29D2735FBBE0ACF0,SHA256=0C452F9C1CCE05B5DF28422E79D608C7E1DB204AF638C6EFCCD7BDF5FE5AF36D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:53.875{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E9136D37CBA0F4B423AFFBAE424341,SHA256=DF04AEDCC9C6F3FA7017606704032F66863133CAEB9FE234FBC4C919A7DD61BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000030725125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030725124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fcb218d) 13241300x800000000000000030725123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79926-0x1951e35a) 13241300x800000000000000030725122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992e-0x7b164b5a) 13241300x800000000000000030725121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79936-0xdcdab35a) 13241300x800000000000000030725120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030725119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fcb218d) 13241300x800000000000000030725118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79926-0x1951e35a) 13241300x800000000000000030725117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992e-0x7b164b5a) 13241300x800000000000000030725116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:24:53.459{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79936-0xdcdab35a) 23542300x800000000000000030725115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:53.007{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E3A0A0FADBD17D2F03BCB177A22BD6,SHA256=FAE3D8D705B7CFF7199E0650F586FAC43039AC0477EAB42DA61B892654FCFEE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:49.677{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local53760-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x800000000000000047954984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:49.677{3BF36828-401B-611D-0F00-00000000CA01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53760-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x800000000000000047954983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:49.666{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53759-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047954982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:49.666{3BF36828-401B-611D-0F00-00000000CA01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53759-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000047954990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:54.875{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D428861620919CF6ACD5E16A0D8CD4,SHA256=069DE4787EECC4D9B334CCE0C3E75B703CB76AC8F8DA697F161B4280F8421BF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:54.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F932D25B99D3B40C14E440F4B2860C68,SHA256=E85EB378420D2EC011ECF86CC016E6AF124FF852750142286370B150AB3FB6A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:49.774{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53761-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000047954988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:49.774{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53761-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000047954992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:55.879{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5F75B4D4C81271A534DF47A7373F5A,SHA256=735758846FDC465C8ADC3F058F9CB668834C699478B40DDBB0CC4B7D6FFD0856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:55.038{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9C6891A2C6C3E84F75E81965FCD913,SHA256=8BC089AAE0B5B322C1A46A7E7B9E7DAC0C69D88041C68A780ECCE6AC944C1211,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:55.016{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D69716DC33A912E911436FE65898A1F6,SHA256=89728430797FA6CC3F26B53266223CC8C29383E24D0D27C3D3E5C824EA847124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:56.881{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A5A7DDDBAA00175A0B3759CCF555AC,SHA256=538F1C3D0276EF4F66CAD2B3360092A9D250603679022A5406F286B32682378D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:02.062{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58844-false10.0.1.12-8000- 23542300x800000000000000030725128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:56.056{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5024A0E559893936F90FBF72665A6D51,SHA256=E692698E860D5E42168D56C23D3BFE06A23CA252ABF81A7075AB4EDA162AAB31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:56.254{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46846BFD7AA9EBE5FB9F2ED1B8D90919,SHA256=2A5E15856E8AB437A39BB7A83585F26563816C5DE925FB9F2CC5236D7C42894C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:57.893{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252576492284E8D3D41761E70C34F232,SHA256=C08A2A8ECE7B471933C215657C3EAE4918B55DED5A5B2745FFD46F3AA20B9A0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:57.056{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B71949A10EEC0C022DB9FE838090E69,SHA256=CF032D26D3A42FE0C269AEA880328235FC5F0E38E68D2858AF6C907932FE53F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:57.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A658CF800D8FC75DFD392ADFCAA956DF,SHA256=BDAE65CCA9AC2E38D439643ABEAF8A63E9932FC4B79273E4CF19E0183744BFFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047954995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:53.005{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53762-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047954999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:58.896{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12046D9D2B9E408547F1C413207E95C3,SHA256=1216987B5D1693A3709624B053FF2B475BD9130C17B9CA1B410B20EDD51C54B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:58.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C9A26591FE3FAFDFDCD6F6B56ECCFA,SHA256=1B57D39FD846C97730B07CD41A95F1253513A96DD9341CD5733EC0DF8FD052B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047954998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:58.627{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0731722C4B1F26F3F979139A031E5AFE,SHA256=DC81BAF74B8928AB103FF2BB5168304781E2AB4F49C88E9ED2832CFB1EFCD7EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:24:59.134{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435AC4627CD4769B0DD83097D843A9EB,SHA256=C75DB14C17C57B2C55C6DE3AC26C7C5D62D39406546C8A51E47DC0BAC0F2BCE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:00.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF2F9B21BAEBD3CDD32553713A88FEE,SHA256=2B4F9B726D319B9E7E5977FB1E1678139D5034F01F506982732EE3F6208EC008,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:00.153{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4CE13AFB0976FD874AAEF7F25A7C6DC0,SHA256=3233A844590A2654CDCE41E28AC99E154EC53AFE272DEBE84708B83935721502,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:00.099{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4E88B9BB0E2CC1D16327ED975D80CBA,SHA256=232D419480868D5CEEAC4CFACB6429FB28F2D70911E53A6CDB29514146BC1565,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:00.099{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E29C47A44EAFEC3D9CD81A8F770312B,SHA256=0CFC8D68E1F3F74126D8F8C428993B9BA41BC9EC6B690FC1405322D7FC4F1D71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:01.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F1B97A62100AD910D83E6DF9F18E9E,SHA256=5C81795B0B6B490CC0F8C46F28523BAB78D1C7BC178EB77064C60D62FEA696A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:01.240{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D21B61CB13AAEB8846ECE5226CA9F6B9,SHA256=6A536C10EC83AB54A97A29AD2612A8D3D481DD0008202857A77E4E2AAC1A2BB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:01.240{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40679A1C2650F4B3B348B078BBB425D5,SHA256=26F962DC84345C069ABD11CA0322A75A6B603CB4A0C1E8180E12746121082EC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:24:58.970{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53763-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:02.333{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE886D26ADA0197C50F6F88E36B9C31D,SHA256=F6AC5991EBA60C652D6D241671C1E2208866FDD32D2967D699A056E15E24ABB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:02.240{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1964A9B9BC3E08D9D36A0386109C6666,SHA256=ECD8D999F87D7CD82940735A980F4C9EB4F429542A61BC3B16F92E5CDA9DBCDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:08.079{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58845-false10.0.1.12-8000- 23542300x800000000000000030725136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:02.198{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FA088A1468BE686C2A1A887DA24C91,SHA256=DB995A494A281F089DC33203E3606D31967F7A45E173F6226357FF1CE5A55A2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:03.615{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7D9459C4A4F8FBEF63D20A2660F6EC5,SHA256=530585757085A81D1BA7581F519665CB855E5775FC1EC3B920FA3671C24E1E1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:03.302{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C089537D3D18D5CD433CE210A3E9146,SHA256=371B3899BC2B85DC76ECEB75B88FEC3B9C7FD07EBA920D8849ACDC91963670A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.865{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63AF-6125-5F00-01000000C801}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.865{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63AF-6125-5F00-01000000C801}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.865{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63AF-6125-5F00-01000000C801}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.850{B81B27B7-63AF-6125-5F00-01000000C801}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:03.230{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E540C3967F7107FAEB838BA75E27C070,SHA256=E799E2014F2C75898A68B7D76A9D408A53E3DACDF906C8F4688F14B50137C652,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30ECEBD4E367CF3515B4393B106B2D60,SHA256=E249855D58D95D59DDD45BC58ED56329122AF0DD77800122FE7F8D77E8AAE299,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B908340695114D894721C82C23DAC065,SHA256=1510CA2F32205BF4BDFC56DC3880566A99C2360E0FA631036A60BC8F0BEE4F3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.380{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63B0-6125-6000-01000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.380{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-63B0-6125-6000-01000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.380{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63B0-6125-6000-01000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.366{B81B27B7-63B0-6125-6000-01000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.265{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826DE0AABE3484A180759D8A1C73AFA1,SHA256=51E5107999AB011BC48C6525C1A0A483AC3615C8705B01EC716DD853A0EB1411,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:04.677{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFDAC41E1D65D14CFB05324BEFEE5C4D,SHA256=36B31334F6917E1B740909260A9B692887A09C74A3AB5D2677C73DDEA9475935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:04.349{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E4946CC9C793F1A1919C14EC333373,SHA256=894A97C3DBC1F6466BF829C5200D78343E607A10A0C7DF6E82B513E2E0D5D75D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:04.049{B81B27B7-63AF-6125-5F00-01000000C801}28604740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:05.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483464A38704306370C063F003AD0894,SHA256=2E5717A573963BB5877B6BE1F07953524CA0D64CE79BB6FF93701057F3998276,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:05.865{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A901CB950D8A11F200394E9076C12A10,SHA256=3042C9232E3AB22300DB73F7E13151857FFC5113283C7CC6CC410FC06ECB1B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:01.808{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53764-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047955012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:01.808{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53764-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047955011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:05.365{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231D567CA393DD1893D986B6ACBBE5A4,SHA256=05BBDCB5B488ACC92BDBB1D5A0086153CE1FDED52074287520B4A9483E2CA7CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:06.310{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F353901F787BD4A0A4D8640FAB1C4D22,SHA256=0C8E34122D25F7A80D7480C1B201B405B9521E5316D58D52AAB6E28CAF623507,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:06.380{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CF918060A57D83C968B5DF1B674BF6,SHA256=E3C175FD14E71E45EE295864BDFD34C499DA00300955DBEE59E6C5AD28CFCFC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:07.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07040F41E7242BCF14426686D1F2B120,SHA256=C8D670190CACA30F674E0AE22A66C5665FE9DAE3188E2A313CC3121AF2570A1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:07.326{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2882DC1799846B883A9A20E9B1DFFEB,SHA256=CB0398F19A5D9ACC3B7B75F034135AB4321AB4BA2652B39678685FE06EBC0A9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:07.068{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4F0969B28D4E6776FACEEEBC458188C,SHA256=3610976F9C003AF114A9152B3CA38DE0037A88F5C27ABA9DC51C967F6E99E9FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:04.932{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53765-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:08.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718DAFFBFA65B3B20FDC2D18789F5F82,SHA256=678633A957FAA694CC7ABEA159644859F43F3D791E897168B0C8CEE11B2B0B18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:08.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA4844DA5E928461CC4ACD2100A19F1,SHA256=555F6288093E99AE6879F26BAA382B43EAD2716BFC62DC0B15D1D5DDF33B2B86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:08.099{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FED40D4122669BD712DC2042461C6F0,SHA256=EE60C7FC6C5DC2C6CF8EEDC94A8F2B14F2F2BDC22AC414F506D85B877E2FCDF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:09.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C3FE182B82986075A19DCC75684B0A,SHA256=48E6EB8E1D0179A5E1C17A9D590E975C5543D6E6F3583D550C7CE33BA8BF33E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:09.376{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE6E442E9E94AC1713B463A6CCED475,SHA256=0D1E724BB0F2CA3CBA3E8D20136931C4FA4AC526D53D703C7342EA139D19323E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:09.208{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FDE9CBAAF310CA0296A77FC4FBD1452,SHA256=B6CE6DFF3C51CC39826A89EE1A436E18D1D0C011C02344FA852FD2AFADD848DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.073{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58846-false10.0.1.12-8000- 23542300x800000000000000030725165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:10.407{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB870567EE7CEF3A5AB27630E74DA83,SHA256=C1D11008EB44B79AAAB95CAE4B2BAB1E76498D801F25D8705970C34F7F21F00F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:10.677{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE16E6DA8AA803C54D60184DD74E72A,SHA256=C2DD8B6622D53717EDEC19585E9575522A32870BB4B3ACA2618AB259A767AD16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:10.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5597E393628E748C20835F568B78C8CF,SHA256=05D6791DF34912B6E5BB72F0C3DA7D7E55C26D6C535C52FD06CDA4D87CC07F04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047955024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:10.208{3BF36828-401B-611D-0F00-00000000CA01}2966092C:\Windows\system32\svchost.exe{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:10.208{3BF36828-401B-611D-0F00-00000000CA01}2966092C:\Windows\system32\svchost.exe{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:11.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032AC5D76EC41267761FADB19FE6293B,SHA256=43C2F39D9904A887F1EF16434DA888A13D330479CA2CB22B763B8CAD84FC7636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:11.537{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:11.427{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13591220AA36C2393DB07996A47D996F,SHA256=25F794E56560E5AF0E8355AE1E306CEE6B825B788423431DE51BF9B6371C9EAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:12.426{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA04B381A0F074D4CD5EC5AE94AC172,SHA256=F4DA33BB68FDC3EA762E66640687F7C1375E820C305EDAFEF55AA37751A75D38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:12.427{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C228EC5BC83C3E12F8E586ADD40D6BEB,SHA256=D5743FB534BCC611CE90B2C1D5B34FE6C6C119764E5C3C6C73E6ED17FBFCE111,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:12.052{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BEA373D5D5EB5B8325D63C049817C90,SHA256=04ABFE91F49E8C6BD42AA05DCE66454C0DD521A628D9F368B5627EB1E7B8FBBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.456{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379E2FC576CDAA6A814FAC9443645E1A,SHA256=11048C8882FB80835F141816FD2CBC95E5D295E5784FAB4AC7F189D0F65087E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:09.369{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53766-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047955032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:13.443{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467983577967D54B28DEA8E18F847E9E,SHA256=5A1E41373F4A1A9E9A6F04E429A0C4462234B3AC1A8132998F92A9D60D4687DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.325{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63B9-6125-6100-01000000C801}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.325{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.325{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.325{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.325{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.325{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-63B9-6125-6100-01000000C801}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.325{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63B9-6125-6100-01000000C801}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:13.320{B81B27B7-63B9-6125-6100-01000000C801}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:13.115{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5280A8D9B203C51EE19565E5F8BCD52C,SHA256=909C1A288DF5A055D44D14B945C573B1A61B9CFAB6F23210BC3B6059CB33CEE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:10.948{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53767-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:14.458{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65120000066F92BFF90DCF285A26A0A8,SHA256=20CEF83394127EA4ECF0B5137675595D846DD71F6F64601B404729AAF7909FE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.539{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2708241BB62CD990DF97FC2335A9819,SHA256=87127A2DF397B9DA671C023A35716E335352CE92DE15EFD84E1D4DFBDA9D7CE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.539{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30ECEBD4E367CF3515B4393B106B2D60,SHA256=E249855D58D95D59DDD45BC58ED56329122AF0DD77800122FE7F8D77E8AAE299,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8D747D26CCF75391FF6BC544EC2A13,SHA256=C687D47A1FECBD0842FDCA01001785A0FD9CF3BAA2FC284C41348AFCF2B3D8B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.050{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58847-false10.0.1.12-8000- 10341000x800000000000000030725185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.171{B81B27B7-63BA-6125-6200-01000000C801}2792224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.024{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63BA-6125-6200-01000000C801}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.023{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.023{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.022{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.022{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.022{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-63BA-6125-6200-01000000C801}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.022{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63BA-6125-6200-01000000C801}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:14.003{B81B27B7-63BA-6125-6200-01000000C801}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:14.333{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2241026317659A9FE92D430A72204DD1,SHA256=5427BAC069412A98F3AF9B423CCA8B33A90589C4A79D8317329C1C83D5AF68C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:15.791{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EFEDC344A56E20A0C3155EFA1011413,SHA256=1D726068ECACD83D8CB723FB63F6662A40224663BDCE984BF9AF6E99F6A8A8EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:15.474{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E305527EC0904E6F9D87D860F4565C87,SHA256=E4A7D5EB6C43AE316FE8224B3F1289BDB3E0DBEA63128E57E39FF7B01C602293,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:15.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5206E7334FCF0D6E751FA13AFEB57852,SHA256=BBF41C4301F1109FD0F05D95D82B038A994392A17E61B9615A7C374DCC1C11E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047955037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:15.208{3BF36828-4019-611D-0B00-00000000CA01}628676C:\Windows\system32\lsass.exe{3BF36828-4016-611D-0100-00000000CA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000030725219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.800{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:16.518{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D09E1D564001BDEF26E347BB0FA586,SHA256=52116618DA571F0C44144F95C42129D8E95BC36CDD8820943299B8D32E850731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:16.884{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D8A49F9CE011EA1B6B598C0FC0C6A8D,SHA256=9D048B2939E1D82C3EEAE1670C3922DCCEE949DFAD1F1C74E04B777F3391F012,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:13.058{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53768-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000047955041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:13.058{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53768-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000047955040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:16.478{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDAD23303F8AE30815794B548BF24B1,SHA256=A26CFD93736BF22B794B8766A751D5C056F523515A0D395B32572E42A23DDF63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:17.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C583374AF568C0E45E4DD0631C5154,SHA256=9F582F3DCC0D581ABFF24176F43BD3A7271C9E8821AA69A6EB095FBC12A3AF6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:17.978{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C16B19A7523B0BE3ED0E7094492F8AD7,SHA256=DDC8C32BA2734D5CB7B0A439558BEA218B35AAAF24BD735BC4859F9B1E41DD80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:17.494{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28C3F68C98651B2C8726A4E23E6AB0F,SHA256=5FC66620AA7D238FA7EF570D25F7566E22957CD49531EDC311F3BAE7A3F03441,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:18.997{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D46AA202945E721201CB5042F91744,SHA256=14905D7CE14719D741938E62031D136A17F61CAFAA7535E471689F1474165653,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:18.541{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0BAD23148D5EA4E54B1606E5DF8F11,SHA256=9AF16F79574D84554086D88B7C9330002CFBA769EF3EAFAADA92DA33F0AED1E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:16.045{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53769-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:19.556{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779D6B5DC14C3ACF04FFE107323ECB2B,SHA256=FFFEB6BB560FD06045C9F5193015658FB83F9878B0A0122F7860DA7D8520AB29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.980{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63BF-6125-6300-01000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.980{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.980{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.980{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.980{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.980{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-63BF-6125-6300-01000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.980{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63BF-6125-6300-01000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.965{B81B27B7-63BF-6125-6300-01000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030725223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:25.125{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58848-false10.0.1.12-8000- 23542300x800000000000000030725222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:19.197{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:19.212{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF3230BCB033941189EEADBE969785E9,SHA256=13897B676FE6FFFF2C8E481CAC26F0D4F42D3932B82020C293909EA849B76977,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:20.587{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64014D0A85D76C7A88D008CBF45D999D,SHA256=EF3C05D15231B06531E13BEC3E736555DB10B0E5AE07A318529F4661B955DD23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.811{B81B27B7-63C0-6125-6400-01000000C801}21326224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.664{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63C0-6125-6400-01000000C801}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.664{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.664{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.664{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.664{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.664{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63C0-6125-6400-01000000C801}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.664{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63C0-6125-6400-01000000C801}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.649{B81B27B7-63C0-6125-6400-01000000C801}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030725234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:26.109{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58849-false10.0.1.12-8089- 10341000x800000000000000030725233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.249{B81B27B7-63BF-6125-6300-01000000C801}55966716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:20.018{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC0C1CB0F40FC4ECD1E771A40D8125A,SHA256=CEA0E509FF03E34657A95E30A9EA58E1DD5309D012E832BF42B0258DBB30F37E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:20.525{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0300E4DFC977E1A9DE2B36C7B7DEB6E7,SHA256=DB8CC339C020B454FA5F92FA939A5CC6681ED7A9DCC64BCB68C9D97A770355E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:20.416{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7AD96058288BBA76360E4ACF1AA7E623,SHA256=BA59C06BB8331FD21894D96838615150B03412FB8BDD3B62EB1F1313CB61D9B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:21.744{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A4F8641D61E5743BF5E8496607414B6,SHA256=DF16850CB5DBF385F59AD441F5576037B22668E4D546237FBDC155B9887B026C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:21.603{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72DA5D539CDB6B887966F0DF4E45985,SHA256=553EAD387BBF427E8D97D154124C79B4C13C65547B9AF14AA302D278D69EF4E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:21.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55936F4FEDDBB39F42CEAC0BC78AEC46,SHA256=DA00C32FCBBF2D850AB886258A1C8288F5E2D00AE060C7EC134B16CABC172D53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:21.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2708241BB62CD990DF97FC2335A9819,SHA256=87127A2DF397B9DA671C023A35716E335352CE92DE15EFD84E1D4DFBDA9D7CE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:21.048{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A134ECF252FB93D4E1939EB611AC2367,SHA256=CD84E9FBC130CAFFB3E91222D3050C0A5774856B939BAD040C9ADBDB33632757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:22.869{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EDC5ACDD66CB7291EF0ABA65848AE80,SHA256=528B87A89975D2C93C960C707059E6DA454C5395BA96DD4885A1D3BB6952FFC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:22.666{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2FA16925588911D50E72F21C4731C2,SHA256=E5C82308B73061E5FB738F4CE13ACDF574F4D459A2D31CF7F2D2E9025F7FB5F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:22.063{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E326FD6866A06D9E99B9DC34D55A5C68,SHA256=2E3B579025B617142D67D7DD308477E86C5F0E5EAC73DC45ACCFD76573E40CB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:23.697{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEC28A2ACCABA20711291ED7837B9B3,SHA256=3B49835284FE2620932718FF07D16BBF76747D7CD3DBBE4C129F12E23FE85BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.115{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63C3-6125-6500-01000000C801}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.115{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.115{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.115{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.115{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.115{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63C3-6125-6500-01000000C801}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.115{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63C3-6125-6500-01000000C801}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.109{B81B27B7-63C3-6125-6500-01000000C801}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:23.093{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CE4E103546630957152AFDA27E4AF4,SHA256=3E7EFDC2418587BCFE98476A4E1D681AB44E427E979997A5AA1B2CBF03699AA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:24.744{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249D4EB95B73F67235A4A98C5EA4151B,SHA256=7EDFB0764ABE6E5A4E3A5802C316445AE594A9FDC920D360A561E34F9CAAB22F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:24.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55936F4FEDDBB39F42CEAC0BC78AEC46,SHA256=DA00C32FCBBF2D850AB886258A1C8288F5E2D00AE060C7EC134B16CABC172D53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:24.094{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFBE533515F5265D861378F4C621472,SHA256=C36F557606E308A8FFFC74E90997D1BBA569C1E06CF3912ABEF483E671540C1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:24.025{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=005880D7A37E14B40D55789A81D103CC,SHA256=ABAA32CFBF6C39FAEE295A7ACEDD16D44CF2E6134FABC96F41749947CC871B61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:25.759{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60210D01F3B12727A743AC50F3D57BA,SHA256=6C7FA8454FACF91A999AA543FC8E1CA81ACC849D28AA096E930E4E8AE5997022,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:31.037{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58850-false10.0.1.12-8000- 23542300x800000000000000030725259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:25.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88002749615C8F82B39F737DAA147D92,SHA256=D00C5379DF7CBD5C4E6B93E0F748BDA3B1A92D14576AAC630E8A7B544D4D967A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:25.181{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBA9AED1EE69704F49F3151C274B92F6,SHA256=3D2777D3D325DBE9E96A19CAC97834BF546DA1E3391C944DFF257244CB02D2D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:21.076{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53770-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:26.791{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA559C665BDC39E5B7AB7D8F3387686,SHA256=31DA12463CE497946ECBC8F427AEB1BBE2F8C7936705832EBA77140A8673506D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:26.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C514685D22D133E2D0F5E173C635AE49,SHA256=8E63D96ED4CC7C18C96067F32C289D52438F720406D8B2CBFEE8FCA4B4265FC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:26.447{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E46D75FA378BBD4DF8A012C56ADB6B5,SHA256=A7426F2C59B206F840F11113962FF5F984D87C77F67333FBA825F0821EFCCF44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:27.822{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5419F7E66EA814D045C38F6B5B19542F,SHA256=6D9EC7303E6458A8B51D31D8899C4A99D285E8B65FE68D33D4489A5C3D23A351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:27.144{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BC8EA56ED960489CF18492845DC21F,SHA256=DAECC56989ACFB50E0DC91E3DE274433CF358B6F205B30ED1BE2A42E38ECAABE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:27.604{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3BC0C3CF5307591B8BC4CB175A632BE,SHA256=55E96EE907A6EBD4E58942B3032C43E12844D36C1DA73CC8F1756CD4109E9EFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:28.854{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE35A61017CB05349D95B8A52695AC8,SHA256=327C1046CBA287D3017597B3424EEEB9F2BBE6463A97D57F108CE02330B937FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:28.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3715F7EB6010F86E2FB51E63F397B4FC,SHA256=0255CEA3B63B6CC9EE4B3DBFAC1269412F8C37BCF96CBD77B59BBBFDBDF54019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:29.917{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA5BEE3369145EAFEBDCEFEA7AECA66,SHA256=BF0334D33A5610529E9A0F40235422202A82DBE9F0BFCA242748E3813A88EF87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:29.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCE4B50939156FFA95AB14A4056E8C6,SHA256=343283D94F0B3EC74A4492C43A15CFDAB8F284F9BF9F8BED3A0F2A0A324A9493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:28.995{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C31441673DB80D284FDB602C69B64A58,SHA256=139FBA01934CA40082AB92824DE78F937C19F22C182ACCEB26F8B5966020F32B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:30.917{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD25B8D77091F58530AB8896381EC69,SHA256=FAC9E844896740EA3F66D3087710497FFBD27A95199A8F85D5C81369B5FFA63C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:30.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5377D1F83E45D4539E3664D976689A73,SHA256=EB99C1210C0A0CB032A4158D567991ABDCB50B89FA97DABDDA55739957C9A003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:26.984{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53771-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:30.198{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A25DD32DD2494725D6A3330031F85F9,SHA256=ED7AC78D674C2855AED17734E9E7426993487C36FD6E171BB65C37FC3F976937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:31.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC04837C666E16886AA586E0E1DDC51,SHA256=04B5B6715E8E6AFC99741F9C4FC8727DD13B0C325A2A51E3BD86FBEC4F2600E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:36.954{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58851-false10.0.1.12-8000- 23542300x800000000000000030725266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:31.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A215080DB2E0DF38FBFE9266FDAAEA8,SHA256=F5BAA465BE5486C46F226C6749BF0EAFA4C652BA5F860BACD8E86FF18F28E42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:31.324{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F40D778544AAEB632B6BFB0D16C956,SHA256=F39FDE8634A077A42EC56EBE5B3A3AA9570642FD61733CBE38303BD36BB71609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:32.240{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716EECE8C58A4A224C2CC68A9F295A74,SHA256=DD7A5970691DD76E6C268B9BAF68F1EFFF55F3401A1F7ED7A542A262101DCC3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:32.464{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE919356A9071DF5A3AB0ADE38E6CA66,SHA256=79C0DCAD1350733E539BE1C8201072295A4A224E1B7A667BB9F3FA3E8E2DC2F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:33.270{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F503576DF9B0AD0292FBB6394F57D37,SHA256=0192DD07F79CDBC7BDD2788D6BEBADE43E722785C1C2067A4355E0931D6CA18E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:33.886{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44EA8CB5829FDFCEBB0F1E0E10DCC40D,SHA256=DC2F7B5323F4A5B21ECEB6896EBF60277C6928F054672432F081CF44A0A61651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:33.011{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A17F157DDE5B4A157BA273072969F4A,SHA256=26DE389627995C64E170F26165612424367BD7F8DEE25EFC34F5F274D0BC4697,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:34.285{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDA481A5A85526345AABE69515021CE,SHA256=8D340B367CA7944FFDABCBF5432D66F69BCD006A05232797BDB5C7B14A47BBEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:34.011{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03B0F149F6B534B7BF06FC98BE0CECD,SHA256=F08D30D7A33462AF26CBD8471CD527D6C9BF085557EEE51E9AF98A86508F2FB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:35.302{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB404AB6C81DB1127DDB753466A5A86,SHA256=28F715307DB304D18C4DE48F2451A7F07D2E52BAAD58D1C60AE47A3D6360BA85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:35.229{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0116A84A16A27BB729559BE8B7448A24,SHA256=02CC5311AB59694B4763C86341258851489B03660ED572A6042F0C0A05F7A458,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:35.042{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C827261975D2B317DB4FB0EE9713CF1,SHA256=45B16630988C73BE0A5B35E3CF114FCFC9B60FFD852BDC9FD77CD977B3B07AF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:36.367{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBE8329333C5F87CA1D7F8E4DBF34DE,SHA256=586D4E277CE5CD08CA8BDE275D74C7F900FD545B2D0D2282A363155CC8F30855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:32.093{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53772-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:36.323{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FC8E7486478E2934E005CE13701527F,SHA256=7DC7FBB296A7EB58E0F955C26B6C5CC06374FC913630212A623426F58353D274,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:36.042{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EBB24FB620A81FDE6237D3764ADB34,SHA256=13EDB361ED581AE5CEEA557241C578B7C6B997684FF36CC2321049A8E9D54F38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:37.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9483EDB43903DDFFB33D11B9CA673EA2,SHA256=CBB47906F3A7DC023CFD27C303521C4C09C808A8A247E434D7C7019DAE6585C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:37.480{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=499ED933F1FAC62E3ACEF1C3F5734CC4,SHA256=9DCC5DA1A9933478C6376716753BFCF738AD8BDFEFE5C6EAE959026885720F56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:37.058{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77A2F9F658CE93EFF111010DBAB13B6,SHA256=A197111ADE300AB8E0162B0435CFF5EB033326294BB7905EB1E5FB6EE15A80C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:42.049{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58852-false10.0.1.12-8000- 23542300x800000000000000030725275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:38.434{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B2A8BF91E6B7F837A00FFC5639905A,SHA256=C1991765741C4BFAC34811D577C9E4B1C709B30E3A8BB9FD8D8533223311DFCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:38.526{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9BFEDE51E6A1FF12175F44049EC4023,SHA256=ACD7FE3532018E029EB5C63B45EFF596B7530BF957499CC92120D9DB170794B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:38.058{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C675C6A0FD50EB79EEE1A170789341,SHA256=3309694853773BB2BA96CC5CDCBBCA079638A1B8F41E059A08F2F15041426BBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:39.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EF639F6D13623E7DDC38D0D22F1E75,SHA256=CFC960B6C3D6327D051A817E9A25E0412E2019623C3373E0603EA2F299463D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:39.558{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86C0FFD052388DAA50D24056AE48E899,SHA256=706032FA935CD321C2F269F3FFE7A13090FCFE41E035EB7F38C1616E53732B90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:39.073{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D268B0D3A3186F899F1116FCDA4203,SHA256=7ADF7E45CE50EEFC91F040371EF3F866D54A932355DEBA56E0249A88FA99848F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:40.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764C32033A83B55E5E378208472F6949,SHA256=16E015062048FF7F5F3A652C573E094A80891B892AE29D495FF42C043A0D5960,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:40.823{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D40D9A989056650790C82366AFF69E3E,SHA256=770E03247E2C3FA82F109666031F228E66862E870A9ED9057EE6E5DC11F163C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:40.105{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7EF733BFAC3393CE333BF3245C7739,SHA256=F972367B16670FCA116F84400609DAC3F6A04F8B2A69613ACA264B1AC6854AAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:47.176{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58853-false10.0.1.12-8000- 23542300x800000000000000030725278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:41.546{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376519FD6E78C45FC38E39ECD26E85AD,SHA256=6E72385EA01203D06A23CB1671D0F3A650962BD435F9D4429E73DD6CD9E7377D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:41.120{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0844E97559AAC7501E8EFA6DA287DF77,SHA256=71B58428F9B61231CEBAE0013D5F8696523FA7787A274185446CAEE16608B3AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:42.560{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C46F6739E668E410DEABAF78C1179D8,SHA256=E26D6D0EF3BB32AF7D9542F980DEF93B11A4EACDA4289CF04221E8DA0F5C3456,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:38.031{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53773-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:42.339{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37A1A64C0D421D5EEF9E1805CDDE830A,SHA256=6D8189D2F85EF1BCBAD4DBC2338652FD08230BD67517086236D8DD08275387CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:42.120{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11257E6A42D1677A8E322A713DB823B,SHA256=D71D0D44236936B2A018091118260824355D75DFC0C93F6133D65B5FEB115C01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:43.575{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DE43ACB1EC594F0BFAB84AC5E764C1,SHA256=1C2413E7063B8434A8BE9404FACB8FE20F6C96FEA9CF11018D8B0AA089B8731F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.855{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D426946C876FDBBD7C7552275D032EA4,SHA256=135BFF3995DE3649CD086A75E342E8780E000992CAA131462C8EFD47F2C6CC2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.730{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047955152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.730{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.730{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047955150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.589{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.589{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.589{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.589{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.589{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.589{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.589{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.589{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047955115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047955114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047955107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.558{3BF36828-63D7-6125-53F4-00000000CA01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.448{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38F7F4DFAEAEFA9ED2694E29C134423E,SHA256=4C24D6ADE280BB4A2B183F9214113A670696521E2087116B51DFF9201182D338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:43.136{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE7A28B02752E870211686D6B2697F7,SHA256=803A67091E8C0E58EF73A158CC1013C700C7DA6EE66DCEB1CEA635C6A26092D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:44.577{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2623F1F539B9D066EB820DB05120EEC1,SHA256=766A05A89F178058F2FF87263039AB3CDB11A296BAFDFE8DE15B21D78617E08E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.964{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F51EB9B0E4FBE5414F38457518E9DAA6,SHA256=68D74A2AD6C3E753F7F231D570224B0340247805B4BCA44BD765785A3F670C1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.902{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C1FD61E05944429AFB50E6F8DEA80,SHA256=2279EDA1457139306C34C3B63C27467092274E2BDFEEDB5BA83AFC7CD74EEE04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.902{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.902{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.886{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.886{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.886{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.886{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.886{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.886{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047955229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047955224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.870{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.848{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.839{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C70E5F89F28CD644CC235B3E43D5A729,SHA256=0FEB33BFCD05648BD695640E8C144A2F56615DA504F2F6A739F89C2A040DF694,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.417{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047955210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.417{3BF36828-63D8-6125-54F4-00000000CA01}55764376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.417{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.417{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047955207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.245{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.245{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.245{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.245{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.245{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.245{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.245{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.245{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047955172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047955166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.230{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.215{3BF36828-63D8-6125-54F4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.151{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9049C18A3696048DE7171F31476147E2,SHA256=7CFFFFCF8314D1DB32FF3B79BFF226FB964981AA58E3EC49AD64D3803C1924E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:45.595{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1082CD6307831C941CEEFB1BFD7573,SHA256=9602AE538859BC760B876AAB931887C5B89DF8422256D25576DF4816B5D77698,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E67C0E98C40A3DBF0E513B0D28E2340B,SHA256=A0B65FAD9FF76E49589F87F150FFE9E557157B4202454499A93CB292A06572D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC986DBB20787105C06D3C3EA695FCA6,SHA256=EB86A731BF94A51A0F03B84E042CB6611189C7135B961CDC3D622BEBF32A9CFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.917{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.917{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.917{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.917{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.917{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.917{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.917{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.917{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047955382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047955359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047955357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047955356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047955355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047955354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047955351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047955344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.901{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.893{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.886{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD02B33381D682D4919A34FB1B1F20B5,SHA256=664F684F667329721901FF99EED8A1AB74F8DB22910DD7073A5E30A5AD5B049E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.792{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=639B23F08FA2A47E4D93587797ED0DD7,SHA256=03B884135A9D73B4F6E882C977F387D98DD014574904830EBC65B3C3DC7C0DEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.730{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECD184B295AB460E0639F709F14C35B,SHA256=6117B401C8976A52E3CB2AFF71B9D75809421CDA1032EBC7445C90BBF2C0CEE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.667{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F564899AD20C98ECE1343BBCFD967F,SHA256=B627D022458B9D326852A37A9E4D1887F6953706FC607A576DFA22DDD0C7E2BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.573{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047955329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.558{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.558{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047955327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.526{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5785DE2A8161A2D70B5584AA5A36793A,SHA256=393CA6EDC4B272B6A8CD9118F40F2D3C969BA7FA9FFA937058988FF117ABC19E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.433{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4756CF23DD8B20CB222990996140E108,SHA256=45EFF7AAC81254AABCE4F39E079D7B2A2ADC9713A4D349CBAB816738005D33F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047955310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.401{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047955293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047955289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047955284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.386{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.377{3BF36828-63D9-6125-56F4-00000000CA01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.370{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52E247EAAA452239F1232687E5CFADF8,SHA256=63430159CE2DB761F8B1CE2E9F358688AA1A032E3A2E9A1D4D56EF683388651D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.308{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F21C3A9348AE58E7C4202A955E9094,SHA256=D66181851E53DE739AB6F6A34675945D5F01E249C8496B4F3014973D943B81FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.043{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047955269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.043{3BF36828-63D8-6125-55F4-00000000CA01}36202264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.043{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:45.043{3BF36828-63D8-6125-55F4-00000000CA01}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000030725284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:46.692{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837F91C31E2CD5D25633B2457A24A3FB,SHA256=F34AE081C4927C3E03D9D978C27CBDC8DAA271A7D30835393B60F2134CAF5282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047955455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.745{3BF36828-63DA-6125-58F4-00000000CA01}1726120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.745{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.745{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047955452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.698{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E558603C5F6AF92A3439A37D1837222A,SHA256=267DF6BA59F895C7B321018AEDE2A9D52D5E8DFA268FE9B6F6EACB7BDEF4ADBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.605{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.605{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.605{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.605{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047955442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047955427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047955415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047955408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.589{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.573{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.573{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.574{3BF36828-63DA-6125-58F4-00000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.511{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B0B3A988D4C5C21BC6B68F41B25EBA,SHA256=3276F8056080289CD99693BD14F03585CD049E1A1F9B749DF084CFB2EC3FDA41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.058{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047955396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.042{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.042{3BF36828-63D9-6125-57F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047955394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:46.011{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDC068DE2245A350BADE73D1DDFEBD80,SHA256=C77C2CFF83FC4C57A2606BC43FF2A7C20E56322EDBDC3EA8A2DD8B2191EAF079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:47.727{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34871F90EBB1E9512A08AFB93FB3B5DF,SHA256=E4F2EBBD27AB2D2603FEE68FB25E16CFFC264A5A5D1B35EA052616EBCAD251EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.542{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98376BA3013322259A04B066DF004B4B,SHA256=2C2626DBEAEEC11596B405DEEE4D9E3956714C13ECC98D32BA6C640A9C991414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.511{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF7EE864C1ADE75445A4DF341CB16EC,SHA256=BE75C01580E65D5BD627749E5A474D01C16455E971BFE5D7C0D6EEE56C43EF13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.448{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDFDB4238A75D32E295A94F1798CBBB9,SHA256=3F7366B173F5A1816355C54C32358140AC310DF4E7D3E1A78CC96805E0FC21E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.386{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B324B184EA00A7D2F204C983988DDDFF,SHA256=FC1E50B50B945E164E984D5B9D46FF0FE0471E5AEC85794EF213E0B91E9FFA91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.308{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDB86E7E9A9A8230D67FEF24E57B9CF,SHA256=D02FCD6EB6814E22F119126F6D67AA33A9E9E0247A13BC701571A2B1DBE56DF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.276{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047955515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.276{3BF36828-63DB-6125-59F4-00000000CA01}1082744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047955514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.276{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877E6B60F7121385DB9915033F9E5E24,SHA256=030B30E0021CFBE9DAF0B6F7DAA1D770ABBD2F777B7CC1588131F4863513667C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.261{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.261{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047955511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.183{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7F444B251D5D7F04D078615AB64887F,SHA256=EB0E695F26C7D3FB43B1D9E4F70034CB4632E8B83059AA09F04AFD1EBA37A891,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.136{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.136{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.136{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.136{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.120{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.120{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.120{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.120{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.120{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.120{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047955476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047955474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047955471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047955462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.105{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.094{3BF36828-63DB-6125-59F4-00000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.089{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30277EE05DBAD23C0520A3EA5B08A6F,SHA256=B967A62D87CA70FAB2C85371B14C288C99005A1DAA962CA1ECD5D6B8BE373B57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:47.058{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3C5DD11CB70E81A7216CBDE79A29471,SHA256=22D4BF1914E963FD325F5060D422B9B9EC186DB2C5D07A0B3A7600F299DE7B4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:48.742{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CF16052A86FCAEFBC0E43FCCB0CCE3,SHA256=F7DC0CD2BA2A9573FC4A143C83804756EFC4AE5559139C6711179BEFA5570DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:44.031{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53774-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:48.558{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7848923BE20CA755DDE828838DEB6DC,SHA256=543626CCBAC6A5A53ACD3A864BBD4CC5A613608E41A9C5650C9A591AF59D4E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:53.103{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58854-false10.0.1.12-8000- 23542300x800000000000000047955522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:48.183{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A7B933F923CCD4EE63E67A3F2BD93D9,SHA256=6201CE4A97D2FC179DD291EE30956008D9B3AB4750A02966E3DA9B2CB8392BCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:49.756{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A978252AC652506021179A29DEC591,SHA256=1DD020F99803755D79D737F09E7CCC54EEE69B900B64F1D305E4C5087B45CD72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:49.605{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7158127FFE67CA9CABD2180FBF08DD20,SHA256=C800D039D0B42D5E656A352B1D5E0B13220C3BBC769C6E58ED2B4BCA077F268D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:49.433{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C8BA65B697984E613EDE0FFBAD18C5F,SHA256=FE6F9552010014838D8EEC9DCDCAA7512ACAA12D34F5102A7EFCBE7100316CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:50.776{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE5B8496F4A421C06062E7BF522FE1F4,SHA256=836F033DF3754A31EA8597D63392AE590D28F4FCA8525BBEF4320DA289D868E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:50.776{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA44439CEE228317499BD37A02D7DB6,SHA256=8F6780B3589AB9A90399E6A3D32227EB6DE0F2F4E39A098E72E9986B5018191D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:50.771{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE392E02C12AFA733E8743ABCE838662,SHA256=225954259ABC53927278B26DBF7AA34D82AB4CE8553EFB60BE52B0E560AC89CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:51.917{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29D7A73D0A15A204775C35D4CDAD0950,SHA256=40692CDE0D4804709FBFE413A80B2B626B8AF0ADE767CFE7F9A2979DA1ECF042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:51.917{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5F0ED2A64D00E2767F61656534AF01,SHA256=7C3F367CE8422BE74130B2AC8A76DD1E2D515288BD3576533E367F0D47A4E41E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:51.789{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6796505A09538CA7ACD14CF7172C88,SHA256=EE5FC04B6F476A36C636E9D8E407D00F57B20F9FC4C93B10B3D4F6634F267556,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:52.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2AFB9BCF8AAA58DDDDA9DE6E979094,SHA256=9237C43226E4E4231BC75011AAD9551B146B83071B84D0617A2B860E6009847B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047955531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:52.808{3BF36828-401B-611D-0D00-00000000CA01}8962320C:\Windows\system32\svchost.exe{3BF36828-401B-611D-0F00-00000000CA01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:53.852{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B7AAAD02A9EE0F6CD2D55B3DA80FBA,SHA256=5E25CC8A7154F86AACDB68621E7061E0C3643476CC51752DDA9D79EA6BD23F77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:49.968{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53775-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:53.573{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C5B5E04AB91B9F8449BF030F4B52A50,SHA256=47B435D181FF0A173C22EA23158B094CD265B1013CEF3B2E9AD233EAF965E327,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:53.151{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7E409ACF43918F83064A1E0BAFFDD3,SHA256=0AE0DF8D1394F0ED7635DFF21D8C90452B13D0DBD580110B56AF2ED533FFA011,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:58.998{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58855-false10.0.1.12-8000- 23542300x800000000000000047955536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:54.714{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A3F78A9CEED092990CB563D5D4DF0C,SHA256=06087B5B68CA8E81667EF081C4850934832FE950E9A4B4698842CABAD9848FB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:54.230{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418726077B8E471B4EB52882AE8F6A23,SHA256=902F31C9FA80AD70D656DE7462D8D0ADD901FB456B502B37AEFE4D3C1C40F35E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.767{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.767{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.767{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.736{B81B27B7-4013-611D-1600-00000000C801}11966328C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6700-01000000C801}5176C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.736{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6700-01000000C801}5176C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.721{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63E2-6125-6700-01000000C801}5176C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.721{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6700-01000000C801}5176C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.689{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.689{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.689{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.667{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.667{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.667{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.667{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.652{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.605{B81B27B7-4013-611D-1600-00000000C801}11966304C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.605{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.589{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.589{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E2-6125-6600-01000000C801}6736C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.569{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.569{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:54.569{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:55.581{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30065CEB343C83A1C7A52F162D783EF,SHA256=F20EBC01B5B4975BCB9CD522F27DC2ADFE6F20DB2913FB1B4B783318F37AA239,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:55.580{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E92811467FA9B4270683D09A415553F,SHA256=6AC900413BB87218C58BCA77BA74FC7F96FA06C85CA1E655D62A8555165701B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:55.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4C66DE312907E8B177F174C66EBA5E,SHA256=A82E9ED47322878F5F2B3F40095E8F15AF36851E1318E5D6D12E284E05814FAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:55.689{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9573142433E6D4416B89B580F334BEA5,SHA256=5EADB7E23DB91440041AAC2D155F573D5D87BE8154C86C2E0E022E11DD61A373,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:55.245{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA5BF3AE9AD5A4E2E36D953EA050D62,SHA256=A45A37EA7FE6C865301E59BA5DF2B9D6D684D6618A8F13EB249396C12F922AD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:56.526{B81B27B7-4013-611D-1600-00000000C801}11964984C:\Windows\system32\svchost.exe{B81B27B7-63E4-6125-6800-01000000C801}828C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:56.526{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E4-6125-6800-01000000C801}828C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:56.495{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-63E4-6125-6800-01000000C801}828C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:56.495{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-63E4-6125-6800-01000000C801}828C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:56.338{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D56A3BBFDB79F9C54834A7DB87B7F9B,SHA256=694EE12A2A27BD36833B4F211FAD8AA6D3B43E19C1AF4BFEB942EE5EFBE50752,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:56.939{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD5B4834B5A6CFF451668B0EB8B976DD,SHA256=2482B01FA0AF69D3EE63D0F14901F5EBEAA55A9AF1A489F319DE4A90F82BFBD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:56.267{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3C469A45126F0B7D54C52B42EA369A,SHA256=C978295862FF99EE39EA2C33763F01A28BFDB9F9CC42E3787BDAE342F376E40A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:57.267{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDCEDF13938586720D1ACA4AA543EF3,SHA256=B7C72FD65043FC603B0C2B346E32937B3BC18CB45143D215D74931E475C84E96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:57.558{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30065CEB343C83A1C7A52F162D783EF,SHA256=F20EBC01B5B4975BCB9CD522F27DC2ADFE6F20DB2913FB1B4B783318F37AA239,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:57.359{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1306829D7871641C4C292DBE5D046CE9,SHA256=220747B4F8D52F9C7D54B25F104FB4D75314714C3B25B809895F3611A833E553,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:58.439{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE779BF505F5CCD7E9F2CF8C44A4858F,SHA256=A49F635D2A2261FD078E40415353BFF1FBBA744060A1DA26A69AEE9DD168F285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:58.439{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E7B1340B0443A9FB01A2C09CCE537F,SHA256=23F2EAC79775E9A20101119E05046ECE1475465CB1EE7E16A881D1C790064EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:58.375{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B185FA06EE9C519091D607BCD6D862A4,SHA256=116D30B13C5A15D5F73D533A461CEA877D53B6E8A177A28D38F194FF5B62B314,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:59.498{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12D8708E890374C3C35CCB139259C83,SHA256=B91E67754E984866E0ED3B1BA21520073CC91D0ADD98834353C09D3D1030DDB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.103{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58856-false10.0.1.12-8000- 23542300x800000000000000030725336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:25:59.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE3AAA4B5BC835ABBA2BE9FE3B0ECA7,SHA256=D61768DE9EF2E19E8D764D71B5C864C6B9C818184C71517E4439DFAFD12C8EE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:59.092{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EE698B9BFFB68CC79D846C5018F9613,SHA256=02125106455B6C610D21E861A4F30DB573128956725E1FBD85E5D2A07EEA3420,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:00.673{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A10BED9DD486BB174333E4B2C46E1B01,SHA256=D237144F22EAA99238126C8E6538DF0D2755FAE8BE824D46DDDF04DF7BC7F924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:00.501{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668C085A65B0C86E99E871810D29AF00,SHA256=C0375ADBA23B4581EA053FF9C1414CC52698A78E7DE295A08A0F72FFFC91CAE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:00.425{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C73D0BE3E25D6D41CF584FB515CE7F6,SHA256=55460A5D9D159261C6FE4737A5EC0D242306A942C71B5AFE503BE0CCE7D6CCEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:25:55.880{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53776-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:00.156{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E4215781DBAAEB5C661877F6C91BBED2,SHA256=E1E71F534B5A21CE7D4CCB3DBC310EFF84E9CC4E6D23CD5D415748B6016A1FAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:01.782{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D03F246FE0C660E7D04DAEC1B60C9B2,SHA256=3A139E74050C611101EDD37D68067B8A0342275F56981DA0F22B058392365DE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:01.516{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4792F9199BAF13C451D34E9263DCB3E,SHA256=8E8286D160CF78E92F09FB9FCE437E3A10E8057F735E04EC6967324F9363EBB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:01.456{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4408719946B830C828556CE0D4FB906F,SHA256=C14E1009A479A057902836F4BC72F88D5063B8BAB4E2006EBDCA323824435974,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:02.845{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8197BB173DA4E1336D6D5A214AA7841E,SHA256=AD68E08B5B7D8CF24F39E68F5F029D63AA1BDA9F480473F022329832DB455255,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:02.548{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979161E97FF958A53E837E86E6A45632,SHA256=358E2C8F1AB86FC3568506BA3DFEC2CCDBFABFC75884A6D4DF039BC8C61455B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:02.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963D9B0F53B431BA3CDCA1195667ACC6,SHA256=29C710F3EFD5A4AABA336A7231262908ADD5EF3EB29645FEF091A8401BBC3892,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:03.595{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB366670EAD8113F595AD88149352D0,SHA256=6947E2EA176D8A00CD1816168B97B742B9D4F628951D9BBE81C77708D19239C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.857{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63EB-6125-6900-01000000C801}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.857{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.857{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.857{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.857{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.857{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-63EB-6125-6900-01000000C801}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.857{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63EB-6125-6900-01000000C801}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.842{B81B27B7-63EB-6125-6900-01000000C801}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:03.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7D667F2E174263328ECAB9C08F0876,SHA256=CF0F06DD055C9EDAFC2EF4ABD1C92F6E76C96D293ED343FC7F9BAD8ADDE58574,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:04.626{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2200AED2820EB42F8CF30DCF2D7F9F9,SHA256=4078ACEFD75E79E09E48F1A3915460E34AF534DF3B945B1AA6AB67A96F7E7142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.875{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DC92F5E25EBA0A54A286A21B2FF7B99,SHA256=37B0BE379C8A003B40389A7E24B84B185F82AE3BD3E59485AC6425D5C77ACE52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.875{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6308AD1CCFAFC0865C384572F0C24B5A,SHA256=44B902ED2A55FEE23B5BD2CE97DFE62CC2667EB44E183CF87160A24BC38753EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.556{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63EC-6125-6A00-01000000C801}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.556{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.556{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.556{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.556{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.556{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-63EC-6125-6A00-01000000C801}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.556{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63EC-6125-6A00-01000000C801}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.541{B81B27B7-63EC-6125-6A00-01000000C801}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.525{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AC3E8777B08146CB9D7EA5411A3287,SHA256=FD080A437F935B6D9DAF7C7ABB38BA17A45D5ED83F56D9A277F1F37B25B9AB4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:04.048{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE13D66BA682A32FC9C6C32A749E3D29,SHA256=3FB8604A8ED0046444AEA6F2D6F34C618C1DECFDF5DC2AEAE5DC97CEA88861FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:04.025{B81B27B7-63EB-6125-6900-01000000C801}24164316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047955560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:05.845{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D7397BEAF418E0E74F0F73470DC865,SHA256=A031BA8FC8F1A826563739C6D2A1D224F056E30BF1E9DDFABD7903F679995E3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:09.969{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58857-false10.0.1.12-8000- 23542300x800000000000000030725363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:05.540{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F69B3D502F24609ADF3232C16B8C0F,SHA256=45975A19D3DC7E2CEA56D1796A68D60706213EDF4F4FD4A4480470B932E0CE64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:05.470{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D07C1418DBAA242ED32EDB5BC3CA96,SHA256=237C6F424E7A265129D365DEB8531755A723A6078203DDF4C7F7E9A3C3150555,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:01.818{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53778-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047955557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:01.818{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53778-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047955556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:00.989{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53777-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:06.907{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229B9577FB5AEE6C078822825E4ABDFA,SHA256=9EAC3D08FE14A04B1A010B64DEB5FF573E982B31DBA1648D46191B58576183BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:06.554{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DAC63C94D80542B6394C97D0D7BC7F,SHA256=6FD12BE960A27107AFBC33C3F3486112719B3DC23E5CE944BF95822CCFC93DAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:06.626{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B740DCC6A058664853AA2D1F2CB9919A,SHA256=0F7C17E74DC49191ADC90F038B1EBCBF9C9C33BC07E51054327034174F76E7CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:07.572{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5B9E9B76D8181ED8316556344D353D,SHA256=5A33C4F2EB11FA26BF9CEB167AA8D248ED1D1B8007AF7320F817049C6B76E203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:07.766{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BBF18A5F6E20277D83B26D535CC249F,SHA256=878ED36390774C43247D163279FC21F9355AB5A729336E6E2F3D137CED3E7EBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:08.606{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958D65B5B1C0FAB216CB0DAD9834E1FD,SHA256=68A20DD4159747821E06A617B301A510352357B218DE8A298318C3B383CA5EC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:08.095{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14303C7F3FADFD073CC40D84988BF18C,SHA256=86361E852CB59241DF1484BE33D21A1EBEA67B7BD35BE9DE5F2E9A5F970B6B93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:09.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D90630B8EAA7F20030C150E1AB78795,SHA256=9D6490C06E1B4E201D28B520233A8E5A02C54ABDBC31A4B0B9148156EB14F56A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:09.235{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9045FA6166E014A1458364270901DE7,SHA256=5EBF81C7E5755F54BA12138AC4933E15B5109CCED9D81C14C4120F169250EEC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:09.110{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2FB1691795BF12DB58443923634C2D,SHA256=8391B45D434C21A8397DB76B2A658E558637FC5F3ABA855A2E3289631A8F5AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:10.636{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3CE77D6D1E8E896FA99FEC702B75A1,SHA256=031D04C6E7E152C8E29AF49D0C0131CC773BAD9DB86089DA2BFFB80FDFB23DC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:10.376{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53A9C6BFDA5CAF66E3FF270C055EECAD,SHA256=88D36B8C6E65244443A3E9580530DC4985CD5968A74798661C0FAB52570AF019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:06.021{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53779-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:10.126{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D35D20795456A707BAC3933111D325,SHA256=D90FA1EA10F91F7108B2EF349A53339A172A40BAFA670BA99F9C60FB97C3FC80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:15.066{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58858-false10.0.1.12-8000- 23542300x800000000000000030725371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:11.670{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574A5CAC533B2F301429ECA5E73E1192,SHA256=802EFA05F4AAF5CB91D8DD057B25FF321A44574F2CEF8C595733B602F46DC140,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:11.579{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:11.391{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89706E83A8F5BA15D1A7B4E66C6E41DD,SHA256=29BAF979D03B26D327732106D96072ABF25F61F055C920A0BD03E037B3F21FE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:11.173{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B291096899E52A764C23238C0ECDFD,SHA256=5A5235F98DCFD63CEBAF160A6C3CCE3B41ACEF047995A562F638A5A714F3BF83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:12.704{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1B35BE8F1F5FDEC05333A5A077A3C9,SHA256=4AAD1E330428497FBC96006C2A6F0EBE2FCADF6D92F062074723B9AF31B3BF60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:12.532{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42DBD99BD97EFAFC96FD6EC5C8B7D9DD,SHA256=16BC6E4B0CEF6115052322BAE1A9A142B9F41FCEF33EDBB1DDB9B86383982354,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:12.173{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61C4282D47AEA6763A6F660ED158A21,SHA256=36BF9AAEDF7DAE9D9CD3169A73BB41A5F8B969D9137F68B2F77A89DCBBABF464,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.719{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15CCF45BBA4A1A01D5ACD422A8A2D56,SHA256=4ABE8ABF2D066710C2BA34E87EEFBEA73C7CDBE3B429ABD613F27FD15AE7F26F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:13.673{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57CFA330641E639C39C840814D37C829,SHA256=47E90012818FE706CE30A27097ADCADCE56E21DA357CB0FDEF88B9447C2B8E58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:09.396{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53780-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047955575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:13.204{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636AF0E50799ECE2A20BE051F1EB70E4,SHA256=06AF0DE4ECBE199F965D86DB3D92F550F749FE18D3D0D5BD6E030F97D3547C0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.487{B81B27B7-63F5-6125-6B00-01000000C801}66124444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.335{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63F5-6125-6B00-01000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.335{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.335{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.335{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.335{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.335{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63F5-6125-6B00-01000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.335{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63F5-6125-6B00-01000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:13.320{B81B27B7-63F5-6125-6B00-01000000C801}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.733{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A295179E2B017341CD91AECD30EC78C0,SHA256=A7EE9D2BE6F4F45C3CF1C86D9F537A629BC01C51EDA53F103FCECD2957915D17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:14.938{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D97D679A896BCCA2888C723E8CE409A,SHA256=72E99142A4F87E7DFE4A7BA2196F3202E08A343E236CBE4E5D4C84F9584B77C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:14.220{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF23ADF1E27B4BDC45333B13FFE95E5,SHA256=9B0ED6DF35BC88794FAE09C4E1883517FF7233085179692496B718301122E6CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.549{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1925D9CFB82642DCAFBFAC6970747D41,SHA256=11CD6977D3305CDBBF4C6638935264160670E483658CA68672BB5C8CD95FBB69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.549{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DC92F5E25EBA0A54A286A21B2FF7B99,SHA256=37B0BE379C8A003B40389A7E24B84B185F82AE3BD3E59485AC6425D5C77ACE52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.034{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63F6-6125-6C00-01000000C801}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.034{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.034{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.034{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.034{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.034{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63F6-6125-6C00-01000000C801}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.034{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63F6-6125-6C00-01000000C801}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:14.019{B81B27B7-63F6-6125-6C00-01000000C801}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:15.748{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C8C4E90C11249E66AE2B6A26952BB9,SHA256=E164BDDB03058CF5E71EFA2CFA547B419913FB96BA70F75C3A71AE04586AE919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:11.912{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53781-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:15.235{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8707EC835EB6DC78F604347906F10360,SHA256=D93BD9BE9BF3183B55E8D5C46D4AD2D77FE981577AC577CD83CDF8871D702737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:21.077{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58859-false10.0.1.12-8000- 23542300x800000000000000030725395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:16.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852E72912FD5EEA074255CF2904F3CD6,SHA256=A40692785F2F69BF75FA871BAB3FF9BF93CC1CFFDBDBBF850B4A9967D4070410,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:16.646{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EABE71FF6DC33E67C8907BA212F679D8,SHA256=ADEB9C1F94CFB256B6AFCC5E5DF6A74975E02782156A0B8243A8CF44C7FEBB4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:16.255{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF62FA6574E78C0D5E1DD6F42EB1DE8,SHA256=36A54DBD9236EDD94A4CB1F5AE7014C0F3686896460124B3700C1D8AA3C4760F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:17.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A206C38F77BA32DD551FD379852156,SHA256=545A039D866B9D580DAF91B3EEC406BBAD1502A571530227DAE00410284D06FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:17.708{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82310231B2706D8D0725F61B24720BA9,SHA256=BC7F0B9E9A15294CA4CA55BC2E0C79FF85DBC521769878D8386A2AF4F890D241,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:17.271{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A45EA1FB6910295A98F0AFB5D0BC7F,SHA256=6F99693BCC4B4F5C97FF2AA4839B45F844683E2FBEAEAD22DED7331CBFDB4687,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:18.845{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE58D7763DE322AA7CA2FBA299D9216,SHA256=8E50206586D8A0BF16E63F79CB9D1BFDFFA2704C8E73EB51C52F05008255DD55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:18.943{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=230A5A3AF59F5F66B06484143C4CAC09,SHA256=DB8D6B507B655FF237F6939EE01C3F9443C645CA22042C192F7CB5F7F7CE94AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:18.287{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC49E5724DCB590A84E21BE22441D7B,SHA256=245242C6E1053E505DD1AD093B74B0D720EA75716C688B158E5EAA18DA2997E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.997{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.997{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.997{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.997{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.997{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63FB-6125-6D00-01000000C801}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.997{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63FB-6125-6D00-01000000C801}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.982{B81B27B7-63FB-6125-6D00-01000000C801}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.862{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D46270A504A5B27357FAA943997F7E8,SHA256=ABCD7FE42B13BCFB409E90A13C44017B929CB249E34C5B7BCB70373D4E71E2F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:19.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4329197945C637D86F7D754B7700940D,SHA256=A565C9B6692E10A2F9FD3232F918750208F1E89E3C01CE0EA4A8227BDC6EB6FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.213{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA1BFD6D716042D31803B6CC167FF672,SHA256=F6AA8989EA5D86C2FB61D7579382F132A467BD094FDB007E82F6CFBFF4F21C4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1925D9CFB82642DCAFBFAC6970747D41,SHA256=11CD6977D3305CDBBF4C6638935264160670E483658CA68672BB5C8CD95FBB69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:26.126{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58861-false10.0.1.12-8089- 354300x800000000000000030725420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:26.126{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58860-false10.0.1.12-8000- 23542300x800000000000000030725419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60C069CDD2688657266C3049D8D15E9,SHA256=3F2CC6116C320DD61CE16253F447CA88787A55F60ADEC48CDF1BDC645B8ADCDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:17.103{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53782-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:20.427{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=232A890465C47257C4628CFA0F7902E5,SHA256=9CE5CA345D231BC885D4E0340C91438F368B8B755B165DBEF1F253DE53B7A789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:20.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE3AE06A7FB00D0C9F696BF253149662,SHA256=7AD1816FDE0BC1935BE7E743F31310E459AF4F2898D875CD346681A87CDAC79D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:20.333{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B439140D2FFA504C2327F501A227CFCE,SHA256=1A7099914338CD1765ED2B8F2496BEF47B4BF416972F39C261FCAFA73D18AC34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.843{B81B27B7-63FC-6125-6E00-01000000C801}36083700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.696{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63FC-6125-6E00-01000000C801}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.696{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.696{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.696{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.696{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.696{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-63FC-6125-6E00-01000000C801}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.681{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63FC-6125-6E00-01000000C801}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.682{B81B27B7-63FC-6125-6E00-01000000C801}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030725409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:20.166{B81B27B7-63FB-6125-6D00-01000000C801}46206628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:19.997{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63FB-6125-6D00-01000000C801}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:21.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF7540C8FA1C05AA7C7C002D9CAD923,SHA256=A258B77D30AA84172244E4EF421DF1DAF816D0F33A1D725DB69B71058096C9BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:21.599{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=683D35CB6A346A070068B9C00674B918,SHA256=4182EEAF1E57D0E35EF2F431EA6C03AF6944F80ED8CF60E1CF645DC41D090775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:21.365{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9A5179E4198043E0B3D84DEDE5B127,SHA256=49F059F40C9C9BA23DAA6AA30034A0E5527553191C3315581FCE758FC74B44E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:22.943{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C4C024B9F58A05856A18EF715037AC,SHA256=C1264474502CDD1A3B1E92DC42839C8577BC3015526E16F54CFBCDA5CE0B9AE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:22.693{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=791B10D65F9C08B0AAE05CA9A2D5E787,SHA256=50BADBBBAFE30783C0C9EF698916C265CCC53C957DEBD4651185B6F7BBC05133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:22.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D22C718963C3ECBE4E8884688E02B9,SHA256=7AFFB47A7F2431A43E49909BD5B60CADC8F7E62153D6A7CB6EBF6780648A1EB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.963{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B2CED204F4142DD464C2B2D5B83DFC,SHA256=7BEAB5E221EB7FA8C237AD622BB633AE3345CB7D82EF4A13ADECD1B7E25867F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:23.897{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2B0D0CB66231E45D13D2E60FF79688,SHA256=B16AFA491DDA2D5A5FD5ED8784A88E25C870D65C261043472FA6B21274E030F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:23.427{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7599404DABCC1C78B862F0AE8C7F409C,SHA256=4A1904C256F53E42FF53745FF5441CF02A77779A03B7441C59BA14C61666E4E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.143{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-63FF-6125-6F00-01000000C801}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.143{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.143{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.143{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.143{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.143{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-63FF-6125-6F00-01000000C801}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.143{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-63FF-6125-6F00-01000000C801}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:23.128{B81B27B7-63FF-6125-6F00-01000000C801}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:24.995{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A613E6D80E020206A0DC49B4DB4F13,SHA256=54EFAB2095710624258B304D382EDB03CC2EDFA206829F94415E7BD742340BC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:24.458{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40FE1C0C04E5A6392B27E03F4788088,SHA256=82CA3F21F850F4EB457D3AB4A667A5ED25F9DC9007B6D0C0B7259843C0F0BCC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:24.143{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA1BFD6D716042D31803B6CC167FF672,SHA256=F6AA8989EA5D86C2FB61D7579382F132A467BD094FDB007E82F6CFBFF4F21C4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:25.474{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5B647F912727A21FDA292F71DAC4FD,SHA256=99C599263E09D14F16BD116C83A106DEAC527DDAB97DF0151DC3FF2029A93D3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:25.083{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94672C8B9019038269B2213ADD69CDBD,SHA256=2E0C35A98B9F74B2B473FA57E1ABA9F68D21636CFC928B2DFAC1CB1A95118CF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:23.009{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53783-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:26.490{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C850F2F261AA5EAA790F30AA1F6219F,SHA256=E66B6CEE801CFD7D44CDEFC0A6F01DB738A6004AF9215C4681DF718D94AB7448,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:32.070{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58862-false10.0.1.12-8000- 23542300x800000000000000030725437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:26.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CCD17088686267EDFE2404AABB5716,SHA256=EBD46C7C29991F321035847AF091845C803CAE95D3073678477C545EA797FFE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:26.177{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBA06EF8FD125AAC1372BFDF5D1FB0B5,SHA256=4A4B03ECE5F4C25F5AD2D974973DC6CC4A1FAD3EA8D51BAC715D07D9DB15ACEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:27.787{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B038AAF9E65642CD0B4AB4BFF0A5D6B0,SHA256=74F1F1EF0234BDB6E09E5CDDD7D5201106E07BCDA21DEE011AA5FB80B9FF2325,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:27.505{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EDE574D5ECEA9DEA9C80BFD9A54C8C,SHA256=974EAA0D6C18A9B16B8800FE05F9127995D60B4B011A10AAA1180E15815DD701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:27.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2243B39863C97AC2CBEF06634BFFE568,SHA256=F3740FAC8AC6F82BD0C3252A0C0786B41C2A95974A8153C7B8CE9A0139D7A66B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:28.833{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=052AFD25E45AF8A7AF3AA5EAAADB696F,SHA256=B56DFA6B55FDD01E9C8FB0B090860017BC45BBA32AB400932A1C93CB8E16E35A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:28.537{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B45D7F4E875960A0C60459DFC9D663,SHA256=A834C2C4494A2CC130F7ED4F763E638EC5F9641611E6BCEB3248800AC7D2AC3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:28.093{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDDC4BDC830E0EDFF34CEF009467B18,SHA256=42C8CEDE3E11220B6FE092573D568EC8B35179201FF8E2D876209EBA26C94439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:29.958{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C0229E4313289A1CC90DA01817CB79,SHA256=51F078959DCB91C20CEBB197755D15DB31DDCA5349DCD83C1D8BA86973A33037,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:29.537{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF4AC8E4CA041D5E7B99B817EEF8AD5,SHA256=74A7BAC9B9CE53155FC0218405C5E039CD16C2DA54166EDE3CFAC7FC88208329,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:29.108{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D27CB0646CE48C5C1E33154D5399A16,SHA256=EDC7BCDAEB517289359EA365C4EBF8B929475AD1D87B9C86E0FC63A0A491576B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:30.124{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1105D0312C46CEA77F57C1C55A102C6D,SHA256=34B5ADE66448ED8D769EA5413279A883EAF8F14E3998ED53BD476584E30FE4F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:30.552{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD89FF682D6C58DB3C99432ADDCDAC9D,SHA256=2C5C16FCE179AD724DA56EBE57527F3C30EF6F7C90A9082EE473AF6411AF4D93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:31.568{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B3D273E199FBB2C859FF4C7B3C07E6,SHA256=584EF9FFC3CC448D9230AAD6F05E2D074B4C99259D2B66ABCB09F15F2A982BDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:31.138{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14635E144C8739E6D5599B899F6D4EF,SHA256=0749E63395FCA43C274572823AB368F2A2D849938A7E64DE67C9F895DD5E112A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:31.193{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF4C2E60C9B4DC5A9EBE59FA2D2A3956,SHA256=5019BC1502DC366DA8206E06FC5074BDB1D27D43281DA59EAC85F6D5647D77BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:28.900{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53784-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:32.568{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A39D9F00B84774B6D307549F4A9C62,SHA256=6FF2971B05A364BC892D8591FAB8138C8ABD826C617AE4199A3E5629CC30FBBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:32.155{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8C3A6D0CB4A4EC6D3A9941BB364F8E,SHA256=798CB09368E77DFB94E6858319FD81789311C661252929CBBD03B2B2CCC3B35C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:32.490{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBAAA1C255232E82A0D6EB931D11A426,SHA256=ED5FF59BFFFEDB9DA07BE156B14EAF75D8EF7B21781376DE75CFD8685886B18D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:37.167{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58863-false10.0.1.12-8000- 23542300x800000000000000047955618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:33.740{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7157270ABBCC30123AA3C8269ACBB653,SHA256=13833097932F8BEF154DA86DF2CFCDE7756DDBA79B5C821DF3C22C0872B216EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:33.583{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68E0B35142C808E737B0EF75689DBB7,SHA256=FF5A351F1797D9C8B0B326B5468B01D21D2A17AF7714FDFA6B90C995991BEA7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:33.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F95746F1A8AFEDA2A0BD1C8AB175C7,SHA256=9E2A02207C50B46F7330E9457BD94322D1C705B63731924BED89E05B28468FA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:34.865{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0663317DDF3BC22264C925BCDB49874C,SHA256=887FEF67788DF4E6855FDA9F3EEC2934971D24CB3675D041171C67DD996F6B6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:34.599{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B72E3DFDFA9412191E06AB9230A3A34,SHA256=032498B4C979C821AF89C7746CCBC03A01D3F5EADCB694A4DAE2A76051783082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:34.204{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88B439C03BEA31344D038577F0A4EFC,SHA256=CFD13BDBF9411225476EA63C4595501376F672DA924C7743AC35475020308AC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:35.635{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A288DF97446B805D3C88301D40C225,SHA256=79CC7D4A5D176D5D44BEC09FB9988F6D8C600CEB6474593480B35E01EE0BF3AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:35.219{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAB11DCC1B08E96F64C0F5EB6DA5C45,SHA256=3C7C18C9387D0B42DD6DCEE02BF85D511F6F134F0AA314694F41D6C14F4A8F8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:36.635{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E27A2D163AD33382F1AE6EEBEBFA19,SHA256=6DD5A84189C5AB8FC9975836D6F5DCF8154FA7015A0C6387D973F0FF78564AD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:36.251{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB3815AB825E85D902295D905075707,SHA256=C9B8C935DC2FD82A5CEF30360038A24C2F675ACD5B534C5FC43D1CAFB2CB0F0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:36.041{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDC595E9F75C3BA4FEC2BDDD4A005966,SHA256=C1FC4D3438A904AD2188BAC34411E54B6ABE6F6DAB27C2B1131049538CA8FE9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:33.920{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53785-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047955625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:37.651{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF9B1847261A157E9E325140D36D337,SHA256=AE49A4B9331A009359530122A8656444A2EAA6ED4337D8671579BB2D0CD22FB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:37.270{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492D4D62F6B6445824AFFD7F2210AFBF,SHA256=4C49E21C3E6321505D34C52D55F6AD45BF166FF0F03498116CAB70F81EBCD654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:37.073{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53B3310FD3C34B998ABE20CAC5F92604,SHA256=46C9150F6B14B2C68555E19E4315BA92124FA24D038938556C811DFBEA576A28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:38.666{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CBF0E7964BE7794CDEC9FC36DB9574,SHA256=29CD5D86B2F5D5A2C3EE680E7E7FC4001DEA41A2AD328AB2A0E5FEBF6F8D4BAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:43.083{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58864-false10.0.1.12-8000- 23542300x800000000000000030725451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:38.300{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045D1B331A16F98AD3B82A6D63F51812,SHA256=DAC23A2D12132AD881625FC22B39DCAB45752169DF07F67C5D6E9F0F00D404D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:38.151{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD329664A01087F728FE5FB780F3DEF,SHA256=1EB1FB9D4B5C6495607F9EB9022517EA2C7D18C366E040291403085C6BFC18B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:39.666{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CE54EE1E8B82016354F3400B42D757,SHA256=DF0184A52C68D6B59E35FEB4B3B46A87BBD74E2E32BE2F8268A879DB1758DEFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:39.330{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D259E30B612A01834D36B67DA9158E,SHA256=E4E750A2653E0F03ADBCDC8F45E6C1ABA37E8616ACA38708E8239367E1522490,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:39.416{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A680A1149DC31505996FCDE0438A04FF,SHA256=78CE323646C498B64D1E13AAD7F8DA0A343BA43BF2F4A17F2B7B0ACE785BBD78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:40.916{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC41F2004BC861AC657E7F2BA1AFAFA,SHA256=F38E22D98CA8DF398157B5DD8D2442983AFDA20F59DC2BA66E13EFFCAADDA645,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:40.698{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6AC6209FFAC42C07889873FC23C41C,SHA256=8752C099BFA673D19C75DF027B4871C351C4DCF92B0FC94FC62DF012C921A232,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:40.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50ACB83A8A5EA065CA346608A42E7273,SHA256=39228F3039E0ADFCF5476AE01D2BBF1D4A5DB1581BB0C449AF7245FC0DD0E3C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:41.713{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F0C830B0595A05B1907F80AD62D275,SHA256=0CD5F3ECB7BA8BD92BC3D9604BD621F6DEA31ACBB4CCB4B5FB4527ECB11BACE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:41.397{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E71F058F68C1D282F985066B6235891,SHA256=70F42DA1342A1CFF8F2C5FE155E31F48AEB143A4CABF7EF3167E38BC7D5FCF2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:48.140{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58865-false10.0.1.12-8000- 23542300x800000000000000030725456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:42.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEC12365CE572A151F3946805557A4D,SHA256=13F417B0378CAE5A36F12CCDCE9D9BB743A08858DF899F2D97DE96AD85105D59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:42.729{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1591CAD422C1FE6CD22016446B128AD1,SHA256=CE53F429BA451ECC9E93FD8D2B5FD639F6D063E7B1B72FE68B41BF3CD2ACACA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:42.073{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10719831935BC3329700F68236F00EA6,SHA256=22CF01663FE59BF3D0A65BE9879CA7B96C59DAEDF966CB0D31679AF2DD8898F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.729{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A690BC3F2EC02810976A2B2535E33D,SHA256=BB4C10D7C4D578B3681054FA3748A07553510374F4D797ACC3B1060457FBC87B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:43.444{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB3E8DD2D5BB0FDFFDCDC5AA8CB4A7A,SHA256=A566C38C4BEEEB108F783A288583BCB8D5B1D4CC6D8501800441101BDC291817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.666{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047955697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.652{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.652{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047955695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.526{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE743A564978DD7D45783BC13669D30,SHA256=71548AFF971FAFA444F534A3AF3A6C6D9CB4B839C1C37E0A011C05DCF9E92851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.479{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.479{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.479{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.479{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047955685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.463{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047955664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047955661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047955660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047955658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047955657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047955654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047955648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.448{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.435{3BF36828-6413-6125-5AF4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:43.229{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=240C0E6601317EC9D4AAC612688095AC,SHA256=354A6823FE114B2E8495A615E0D09A29ADA73CECD15C8BE0ABE110A57CC0BC60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047955636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:39.108{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53786-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:44.509{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75964C8154E30D4EC20B1B711EB4E2B7,SHA256=AA4B85304EA25FA22A969D209ADDA49C8AEBB422F0E2D176BD3CFAC3C4198D0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.922{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=194D949D87E2530B5CC16BC61F84FF09,SHA256=810580DA7F0F9BE60BF8B6E7C73F1C1541567EDFF691157AA4129E8A4113C863,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.870{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047955815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.870{3BF36828-6414-6125-5CF4-00000000CA01}55563836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.870{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.870{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047955812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.854{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=656DE75E510B4CC8637ADA4ACB40635F,SHA256=AEF3E6336F37ECE1CDC39F2DE65879AD4872EFEF5FBE8047E029E26DE3856BB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.791{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0301108445157E6A938DEC6B6F4793F5,SHA256=5AAE59671E92F3AFACE95E6E0BE842BC81D7489027DCDD0C934E30EA7F6F33A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.744{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A02221F4FB170E8FCD996C5AD7D3C477,SHA256=30A603144F48666176D4B75C1636951337C6BFD7A68D7691B5D24921994BD33B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.698{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.698{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.698{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.698{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.698{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.698{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.698{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.698{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.682{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047955774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047955767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.666{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.654{3BF36828-6414-6125-5CF4-00000000CA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.651{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9B6B6D26DB4103E3F1DF73D84DFF22,SHA256=86A8E558A8B39B4B6B5A4AEA40F3E01919FF56E44A5C2F2B3BCD074D6EF23550,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.619{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD49063956D5DF3DB60BF01DE5205752,SHA256=1C1A0A70AB97320D22BEBC5F82DC936343BE573A7547B4947FC87FFE574F2F89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.354{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047955754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.354{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.354{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047955752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.151{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.151{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.151{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047955717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047955716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047955713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047955706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.135{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.119{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.120{3BF36828-6414-6125-5BF4-00000000CA01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.838{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB24785A18EDA6E64869D1C89CC37D85,SHA256=675A0824D860B5BA5345C5DC5944799DCBE831F3E50B474E725A3EF0424E9099,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.838{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B1B5F3A71BA332CF688BB83B41C1EE,SHA256=D93929120604010D7052CE5D37ECFEDD6ADAB9F64A0CC611D37C94EEE929A80D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:45.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70D30B0A5B9B5A41085D9CEFCEE82D0,SHA256=2FBE18D06786D4C8E60E7AB72D6BBEC6EC343BDA5CBD2EF6A25C034A95C9E1B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.666{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D7B3A8EC35F46307AD6D4392DC930F9,SHA256=F454113DE1EBF7E16FF22219970F8FFB44A69FA863CC1EE62F620AA917A8C8C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.604{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21BBD3938FB01187D1C34BB4900D5B8C,SHA256=B70D6CDE3E0CE4F72755E8C2D05D176069AE7D34DAF5E1D3EACC00B25A4AA7AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.573{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047955873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.573{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.573{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047955871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.541{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59498734601020BAC82406CF933A446,SHA256=78A848F1649E620BB2511543694F8ECDBDE2FF5C8589924536BD86E64C676AD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.385{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.385{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.385{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.385{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.385{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.385{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.385{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047955857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047955838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047955834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.369{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047955829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.354{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:45.339{3BF36828-6415-6125-5DF4-00000000CA01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:46.540{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9BD8FD56981791F56E5C10CD11175B,SHA256=3056D0296548350274E5C3B147F7A0744F0680AFFD6A4E41BD4900F8EF691A53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047955990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.916{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047955989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.916{3BF36828-6416-6125-5FF4-00000000CA01}55763868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.916{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.901{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047955986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.745{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.745{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.745{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.745{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.745{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.745{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.745{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.745{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047955965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047955951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047955948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047955944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.729{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.713{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.714{3BF36828-6416-6125-5FF4-00000000CA01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047955934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.166{3BF36828-6416-6125-5EF4-00000000CA01}16765956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.166{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047955932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.166{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047955931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.057{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047955930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.057{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047955929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.057{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047955928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.057{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047955927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047955926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047955925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047955924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047955923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047955922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047955921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047955920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047955919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047955918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047955917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047955916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047955915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047955914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047955913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047955912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047955911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047955910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047955909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047955908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047955907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047955906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047955905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047955904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047955903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047955902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047955901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047955900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047955899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047955898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047955897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047955896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047955895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047955893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047955892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047955890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047955888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047955887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.041{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.026{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.026{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.026{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.026{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.026{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.026{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.026{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:46.027{3BF36828-6416-6125-5EF4-00000000CA01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.916{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454EBAC611CB1EC48B03E2D649010C49,SHA256=35D80D4C4827B1725A95E75AC7E9143218C0F1045CDD5FEAC2E891BC6569A407,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:47.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D78C8E253A15F90CF15EB0F117C16B9,SHA256=595E34781C0EC9CADAA995545211D446E2E1D88879B5580A552CBD6F8EB08C57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.698{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6553A5C69B99D440B6CF8E5625B94706,SHA256=DEBA727D41487F376378A819F77113687E9B16BF4F88DD24238C97E6CD642792,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.604{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047956053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.604{3BF36828-6417-6125-60F4-00000000CA01}31524840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.604{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.604{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047956050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.604{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F81D79033C1B8C7C29D5EFDB4C9AB325,SHA256=2E15A6652E63FC08914177454356F9477D013BB52ED101595F4F35C36539FD7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.541{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4410E1DC66D8FCB676FBCBAF53AE30DA,SHA256=221504227165D28133453BB97703E9129BFED31EA87665D100D233466BA914E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.432{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.432{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.432{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.432{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 13241300x800000000000000030725462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:26:47.275{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7992e-0xbe681bb7) 734700x800000000000000047956044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047956013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047956012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047956009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047956005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.416{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.401{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.401{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.401{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047955997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.401{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047955996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.402{3BF36828-6417-6125-60F4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047955995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.182{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8B59C537E5801A7DD1F9A54FE381E11,SHA256=2341B20F2556B602C99E01376AC3AECB7D751FA415817F4009F8EA92DB554B3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.088{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12D0EC974A832293A638B5B0AE8920A6,SHA256=A908B23FBC93AD6306664B36435E7A0BD7E4A7B1FE9EBFF2CF2F3AF5B7534E4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.041{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B5612AC46B1D2F3785A0F88FFADD9D,SHA256=68A63D8ADDDAF21C7FBBEA00F5999DBA807B289135AFAC275D8D3BAA376477C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.010{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CB4A4E01AFC1907E90D4029FBCFBD47,SHA256=A0A50B1CC4DC51EC965A5180A414F875C5F463F27971B8A5F7FF4EDC6FC64639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047955991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:47.010{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239E08EA20F342E5D07231FC7408C5AD,SHA256=3F6A0AC5BF9AD673514A2A1FD0CFB2570CB5D14DFA4CB58C380C5A966E8562B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:48.916{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E5E1C7D28E195E3830867430CFDFCF,SHA256=D00241AF6305491982D949246E8F98A62E49B6A0B87E05A192D3382A618B77DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:54.134{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x800000000000000030725465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:54.051{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58866-false10.0.1.12-8000- 23542300x800000000000000030725464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:48.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28FA4AB91129DAFA26EEAFBA3753300,SHA256=C730CB869867AEF1055BDBF3660EF8949EB847E07ED04205335166CE5E2DE85D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:48.057{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F56C636E94AA2403C22BAAB2AA3B5EB6,SHA256=3E9F82CC03BE6311900C0982FB53C2BC2E21ED7888C7CD7A80029D62B63D0D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:49.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F750645BE90BDD9E7A91B82A9EC3F552,SHA256=64A5DFD78DD97EA2BA1DC33C9E33B5D2F59662E8519F33D137B4E6FDAEFD1086,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:49.588{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E52E70CA4F207C62776421432BB283,SHA256=15C9E916F8F84A309D10D3DF175628DD956295E33D382A5E3FD0135AB18F85BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:44.958{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53787-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:49.088{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FFC2B29C10773F1F5006BF32280656F,SHA256=E095CF4ABD4A201A87EFFBD3017151B788A2092DDBEEC9958C24546C7F8C43EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:50.995{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA12B06041F17FC53B6FEC70004024D,SHA256=645F54E12272EDBDDDF5555521FC2B1FEA66BA77AB12B2A4A22C51ADE551E621,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:50.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC68B1B04EC2005D126AC255632B3E5,SHA256=929B91D4A4571E2C5C4B9E990737FA7D2F472690AD75CECD9095421F48E1D271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:50.229{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EF06326E9949FB4BFF0D19FA9C25847,SHA256=168DA3570BEC293D617781C4A8F3C34D8A163A6ED4B7512FDE2C0C024C46ED3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:51.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DE00A8901A011FFDB0F59F48C2FE99,SHA256=E0D6355B5FB25959BC6059FF9440293C8708E6DA8DB3DD94ED596FC2D912DD49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:51.370{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E62B88363824B91E6F4B46C10EDA30B3,SHA256=503486F753ECBAFE0F55A3FC6F3A0B8017FC654FB585AFA78C57A4F05ADD73E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:52.717{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F43BC28C5B243C4220F37D9B8A15CDE,SHA256=8741EFB5D3C17CD03C2FD8396C44CF8375554F14F157FEED170DD1492B9AFD9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:52.541{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AB011ACF4F4CC5782AB487E817E1F52,SHA256=E42197FDDEFDD62F293BD0D2050C980AF98C0DFF731D83CE33EAE1B406BBE5D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:52.026{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6877B45DA02FF72A53F75268919FBA48,SHA256=E9E68A4C50E8BC8A507587E93BC4C2FBC4F58E30614932D014E97209330544B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:53.734{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387463478B015778C9475DDC7FE65470,SHA256=01AD6A95F8CAC81478C28B48CCA729B39A2AF6CA365BF2338E578CA4DCEBC75E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:53.745{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC9248B3A93940BE59852900F93519E,SHA256=747F003E630A0D0562FDD9CD5C5AC2890C6F90ED854918952D08DC39EB984E6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:53.057{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04285D87ECEF66F081A2ABF73BD28F27,SHA256=E411B719655C538ABC948DE17CE516F0C7D6296D395B288487CA5B98C62F5368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:54.768{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D01DC7B10108CFCB3A2A8874529F3BA,SHA256=FF078C3B7B02C6A78E875BA4EFD9DC108D503C6C2209E2E4C149EE53BD5DB0CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:50.983{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53788-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:54.073{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85237411E74AC198EC33C4E1CCE1F37,SHA256=B776111723EAD82297F9244B81358A3AE69690442E0230F085A4CC35E2148C34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:00.014{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58867-false10.0.1.12-8000- 23542300x800000000000000030725474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:55.783{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CF1DDA8E78EE9003DEF3D4C8CDAF33,SHA256=339A8B12FADFC0331B867857BF103DAF5018711AEAD3C14C13FF62D207A000BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:55.276{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EB7B2BA5F8BDAF9EC39D70CEB8EAF17,SHA256=A91ABF14ECABAE3A75C03BE7FE198E31B2A18B833357A939D51067832E563DAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:55.104{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA382785E1156EB06643BE75FA4BFCBB,SHA256=19EA4657439312048042AE28E14F68C9E9E0646AD983BEF56B1E23B71BD7C24A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:56.798{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925EAEA8D17F0607BC100DC296F0B15E,SHA256=AC9A20FC57FD958429F89800B67D0E1EE1A5CD3E639FC2B1487AFE323AF8C330,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:56.389{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDF338BCF0C3313FA580007849194551,SHA256=B81BF49585B02E884677C5E0C4054465023F111BF52D877264382037E0926FF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:56.108{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EB57828EDC15A746EF7DE7020DFF6C,SHA256=EE5C13C92F06D97853EA3BA837F0DE1D20EC3B6D76CB7987BF78A8A9D5D44B27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:57.835{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDBDBA4AE9582203E24BEBB9E13CA52,SHA256=6C751ABD8E9E1A4E65777FBB74DEC675F24F8FC2409116AECC28B9805F27CE48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:57.514{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F7B03AE77B3F8219F185BB34DB709E7,SHA256=48F65319CA5F594FA77164D6848684091415974576C614A20657143A33CBA168,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:57.139{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B300D911E3935FB06EE44C4653BFA3FF,SHA256=953A1C6D719E0A85566E5C9E0D1038A365EEBE553EFB73A10CCCAEC5E337987E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:58.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3A88B95B0DAF43B23E100AAAC5CF82,SHA256=611355C800E50BFBCE2636C5AF30505AEE47A473F8B0547BBC5120270A8343FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:58.639{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2582A6304AB5DCE177DF7ACDBEB07D19,SHA256=00729ED1F6500D5FFEB6BEDB8AC1F084415FE3032E8887FCEAC7195B9E62A688,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:58.139{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D96CF516D2875065506918C8E19BA7,SHA256=9799108988EE46F630801DD9C5D14D0B6B6E948BABC408638DF9B19A9233EDC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:26:59.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBC3B2EAAFD5949D0059C091C868E32,SHA256=BF656F19E82EA4B3883CFE03CFC80DD6D5F6E01B192FA24B0B1DFA3F88A7FCB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:59.908{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5189FFF984BCFD89BFEA96148C7DE8EA,SHA256=93435BD383BC447D302A19B8E169FE13CC4867D05A19D3D6F785C57528B2BC48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:59.145{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE7E9B5D0E9BD212DADB202AF1CB8AC,SHA256=48CF3A669A6C1E84DCCC069708F10807066CFEFF42330D4922D4409D608A70A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:00.928{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78746CE16374D6480B25B73CDC401AE1,SHA256=6F9357A79FEB93CB3C2B4DEA53B649AACDBB327AAC41A3F7D0C4C9E0390D0937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:26:56.914{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53789-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:00.158{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72B641219215D02B5EE2C91C711B8A8,SHA256=47DCF0B605FF7D7CC3C7B0FF4BCA5016D5955D928107AAC56AE9C8715076C58A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:00.163{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=157BED5B5951BA9EB55D1EB2B61FF4AD,SHA256=8566E38311D0A0A21973A897B8BFA91CC79230FA3463D79B52C2B85DD696E133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:01.946{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10BEE0F368319E76A8D8C01926AD347,SHA256=341CD1771F4DC541A36F5A80DD840011721995BED4624E5F7CFB4854DB059F5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:01.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C287BF62FD2C5440441C11AF633B9062,SHA256=F87264FFA2AF597473CD741BE55A53B3E79AC0CAB497CDA6581C4E3E6A6DBEFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:01.162{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1699FE165167C39D9134C9CC31B9200C,SHA256=24B57B47974F45B46F58A69346BA625DDD463826F8D14398E3E61C7E4FD5014A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:06.025{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58868-false10.0.1.12-8000- 23542300x800000000000000030725483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:02.976{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE1E70D96CC8C6D92BE986BCF6F7AE6,SHA256=35A92E6ABF3A23E4086376169EF64D9BF3E336BEF3088C09E984E37C233163AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:02.552{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6C89FE21E425322811E07D2DACA8F5D,SHA256=5C1D1B8CA64F48153FF77522CA62C9EA2AB8606BED2B8987A15B91C061FACF64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:02.224{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694779F0325EDE7F93CE52C18091A0D6,SHA256=D491F64D15C41CCADDF9037BDE5AEA8B8269C2FEEB64C2DAB90DD626B786EC87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.981{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB73F6665715E0D0B61BBBDA6622D21,SHA256=378FD3B9BFD8669F35A00F8CAC3C71F5FFCFA402312E7C1089807AE02451FA77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:03.912{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21EF0C7E4337B23D2F4C4291A4FD199D,SHA256=8FF0DC52F3F5F73AC63B115B57E7FC7969BC2E3E1B7BF15F45F6755462E7371D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:03.255{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2EB299D080434142449B42DDCE9316,SHA256=080DF282249B04588B555E65C3748AB3509728F4CD9E0972C95C434E70D4E716,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.866{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6427-6125-7000-01000000C801}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.866{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.866{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.866{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.866{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.866{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6427-6125-7000-01000000C801}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.866{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6427-6125-7000-01000000C801}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:03.851{B81B27B7-6427-6125-7000-01000000C801}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:04.943{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40AE803E61620F87F4C94E10A75F7937,SHA256=4B123B120E4508B1D63D11F01A5133F5F180BAE764E3BE92EFFCA96AB8A15AE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:04.287{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184DB16A07D1877F070DC1CC6A6B493C,SHA256=AA95A9705E342B69CC64AA93BB5543F8D3747D8BD375BB3C93337F623359CEF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA3FA26FD4EE3C1708E85DF402735B1,SHA256=589A472D3EAA0818201CB512AEB888DB281F0FCE5982029D48A73D4C6D16A3BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5E5D2D2E3DC8EB4246D6D408E6A19D2,SHA256=33A01ADA60170E84E3FA31ECF7AB809B94F40DD3C9E0D8C32797B3B9D0EA2980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.612{B81B27B7-6428-6125-7100-01000000C801}8326200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.433{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6428-6125-7100-01000000C801}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.431{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.430{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.430{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.430{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.430{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6428-6125-7100-01000000C801}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.429{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6428-6125-7100-01000000C801}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:04.414{B81B27B7-6428-6125-7100-01000000C801}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047956093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:01.838{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53790-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047956092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:01.838{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53790-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047956091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:05.302{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5675F7698F1C0FFEADF67C58797A5C7E,SHA256=C17C4AC479D04EF73F169E545F0D453527010C4A05B4751B1DF16A3A0317CD4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:11.060{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58869-false10.0.1.12-8000- 23542300x800000000000000030725504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:05.013{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B6FDD809181650EF7326A00AE886EC,SHA256=B0362F0F55A0BACDA0CB3EA5097F086D6841D004CE70A6C92A0F2587DECC8C14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:01.962{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53791-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:06.302{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260E40B891325696F783718E044767FD,SHA256=0C41E23E29FCB276B118D2741B16A5C534EF9C0736A60C4BFFFFB34169ED8EB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:06.034{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1BB7629C3121BDCFED8E60A9143AE4,SHA256=9CEEB08E6698AD7B90E070F78A3B1AD3A7309A3AD5296A38F0AFE47798FDEB07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:06.240{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE066A8F6217DD7D11671C57239F005,SHA256=04055A60AB9196C0D7C9748494712854E741CE40E6D00E25E8E4690D1A468557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:07.552{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8579FFB758FB495721D6B78BD6CF8F52,SHA256=5FAA73BDC3F171A4CE42DAA0ABBAFEC1BD8B7B8C9CF480575CA24788FB623632,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:07.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3D31C16F593AFFDEDF5501F769F722,SHA256=C2570C56585B7A422E599D24EA3507A50329444983CBCB9A6D32628220233B2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:07.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80704021DD111C94E948C916AE940C2A,SHA256=416843D3F555D025E22AAC67C8F0C5A2A1293CDD1D326A9712AFAB7ED856DF81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:08.615{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80A5CC69C307C3D6088BD9C8282C38D0,SHA256=7D25CD53C0248C18D75C317CCB8544BEDD423A21C012E7C2DD3FE70BEBB4A14B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:08.334{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E219B6C295B823D7054964DD61690C7,SHA256=D8383EAE30D38735549960482BBF84EEA968FE27ADCCBFE2504C6DBDDC4D0E4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:08.127{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B599F29295FB7FBEA81226682D5FBCA0,SHA256=60A0D1795B721323FF5FC16A8653DA7690FA6DA6BD6A872B0CB647C938BC0D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:09.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21E50E59EB2EA732F9B9CB93166D862,SHA256=A1E66B6DCBE23F7F2A560CCD766B571285FF8ED03171C23366D1E002E3880549,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:09.755{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E205A058E10B59459E3ED27D4F4AF9,SHA256=C1C092D0EE94318EFFFFA1BF8A692D44501B59733E0BEDC02E59893154B29AC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:09.365{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D63F5505001F8968C2F1A758F01FF6,SHA256=21A6C45E9846A310BF33131E949C7C928695CB79B8E6F13F520318BCF5EDCCAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:10.896{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=213D0D10C99BCD8D607866F0E96484CE,SHA256=EA28388BD0E1FB3696CBCD8F8F9A641EC781F901D92424549385D60905247D5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:10.380{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BEAA4E532A1B4D30A0ADC353D7D89E,SHA256=596D2D1FD1DCE7B4D8FBDE235F64BFAB4994ED366BC3D4DACFD656FAF761E78C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:10.134{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5597DB12425EEB7F9A5DFA157045D0D6,SHA256=ECC51511A0285093FFE90CACF800A6B4A2EB8247B07880282BDB447B831D529E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:11.599{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:11.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183636BA77EBC68742820AB20E2B754A,SHA256=F266CA9B79C695C77499EB315E7AC1C821B9160A5F18083F168C4C6D654DAF7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.011{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58870-false10.0.1.12-8000- 10341000x800000000000000030725514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:11.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:11.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:11.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:11.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7638CFD76595623D6F6F5FD8CC52A1,SHA256=6706A22273D863AC5354AFB2DDB027CB19C3B2EC16E8115E2FB389DB3692F105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:07.009{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53792-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:12.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0892B940A2932F97280328BD1512CCE3,SHA256=FC1A9295598F58CA98C91B28DA2FD98590B9E5CC4F535D6214713D3AECF4757A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:12.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D7C4C13B5EE637672D257738A84C77,SHA256=505DE15CEE5CDEC79CA95A15BDA40B83BD960338676C4F50C7BF0F866AC2EC4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:12.146{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D1065CEA662B6358AE066132C76EB3,SHA256=328F701E9F8535B245290AFE5A8C9F01A8A65E542888E9F833ECB6345F98D1E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:13.677{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C64C2D13424B4ED5681C0BB18B7FBD,SHA256=23BD584CF34DAF922804AB63FA0BDD77611B458E162C341F8DFCE4AD9E7FC15B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:13.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51E4CB198D9AE6BBCD4D96D965C3055,SHA256=7B17205A178661AC12D98848139BA10C00B7A140244354907B7F2773A9E6A018,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.347{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6431-6125-7200-01000000C801}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.347{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6431-6125-7200-01000000C801}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.347{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6431-6125-7200-01000000C801}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.326{B81B27B7-6431-6125-7200-01000000C801}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:13.179{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C641117C9A88678D8341E3DEA64847,SHA256=1F7D642A8ABC510464A54AAF772AFA871FEBDA66967A21ADB79B124E1CFAC100,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:09.431{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53793-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000030725537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7D8909560DE9C2A4DA61009797A2A7,SHA256=78F635D2B15F684220C6EC79A588A29C39D5F0A66FD8DDAC7889A5F2B872B856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA3FA26FD4EE3C1708E85DF402735B1,SHA256=589A472D3EAA0818201CB512AEB888DB281F0FCE5982029D48A73D4C6D16A3BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C75465838349D3A1E449009BE7E571,SHA256=855999181377D5A4D0D0CE213B7D708A3F8320E9D570DC015224195B1F469EB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:14.959{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768CEADDEC2EF31F21AEF4ABA62C09B4,SHA256=E8181E60CAA3D515F6F738DC147AE9B85D20DC127C276343DC0472351DA41F8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:14.459{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E264AF74A292E6FBFE56DF11589C5F4D,SHA256=C47E8DAFBB231A9C0C88C714E24E9B1B6B43D81595EC8480D9A27B3B06FA1896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.178{B81B27B7-6432-6125-7300-01000000C801}53765244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.028{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6432-6125-7300-01000000C801}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.026{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.026{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.026{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.026{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.026{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6432-6125-7300-01000000C801}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.025{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6432-6125-7300-01000000C801}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:14.010{B81B27B7-6432-6125-7300-01000000C801}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:15.978{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DB6FC517A4D0EE199171EE653FF945E,SHA256=58975DF4F35369C6522818194ECC2BD2DA20D36EA4C4F456DC71155837BE8461,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:15.505{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C0CB6D24811B5E254F0B4459A8B10A,SHA256=A5EDE498DB8353964FC3D37CA6617B2E0486B59D2B4144AEE3BC58569E646E9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:15.227{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A8F5A1C65ADA8EC21D80C95FF48604,SHA256=BAE0A3960A77C757E703CA3EF75776A837ED1599DB20C9D057211D3ADF9F1055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:16.540{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B291475D0B192034B12E90FE3D59A3,SHA256=D3E990645180B1ADFDA23C34F41F14934A663434E86B1C82DE6012E8875DED35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:16.276{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0A3571261A7D03CE3CC20D7993E0CE,SHA256=B1B274AFF9A1BA0AFA519C1C9A7AD20374FD9D868374EA8537E94E141878C3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:12.962{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53794-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:17.571{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7200D91CC0F4290E73B9896C39D30F1C,SHA256=F0337A129D8D377B3FA979A45F827C0F8988AAC3A3A050A79E8C1BE742547A61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.806{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:17.324{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77EBDE5B1612B00A2ECE9326F3087637,SHA256=47C2B00BDE3A61DCB18DABCFB771B54D1DE22366EB9E9897F5ACBFF90B4ACB4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:17.259{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34519D8D028A9E2A734CFD45DAA467D8,SHA256=160D0B03D0A1D8E5BF364B8D6CE541639D44291ED21DADB3C195925B7D3050F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:22.090{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58871-false10.0.1.12-8000- 23542300x800000000000000030725570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:18.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4972A75CEDA1FFCDDB8500DBE6A104,SHA256=3F37E97F9999CB636C6A3CB5F6D727903BA66AF3506F9E7A78CAFEE12B924F9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:18.743{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4514ABAB8275AE8A674EDD1D675F4299,SHA256=7DA01911BA671B8C0DEBE932A8EE95CC83DA8B52D8EA306C5354ED9F32F8D2B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:18.603{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75E857F8A762260FD9EDF6E1D3B485E,SHA256=E6DCEBD23948B90F31959A1454F93B6E93D039A54DE61A86791AACA972C266B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:19.788{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E1CEE1700067F1D5A466271F3F2637,SHA256=9E692183CA9105E7949F818270387B812D74217D749A82F430F63757D2F59A2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:19.931{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12CD032B0A7B196D345D04658FC9657D,SHA256=91A243156FB83448B9227E7E7D6CDF54ED817AF1F6502857E4A6C89488D7AA2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:19.665{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CA3CDB97ADA06147DC31B43B115734,SHA256=4EDA3A6DA2152D7D3F80C933B6F2264871AECA18C540A45E6FA9D0EB34A6B950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:19.242{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.941{B81B27B7-6438-6125-7500-01000000C801}19884372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1564DC4DCF3999F47DFEEE8EE673023B,SHA256=B7FE25B8CFC8F7BE193DF7B5B3A8F433DF9DEA2491EF6E30477415F8DB15370D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:20.681{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1160B1DEE5DADE2A046179F94A65E072,SHA256=EF21A8B773B10696C03FED0F184A91019B89A25EA9A912FD705E5DFA9CB42D68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.703{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6438-6125-7500-01000000C801}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.687{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.687{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.687{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.687{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.687{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6438-6125-7500-01000000C801}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.671{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6438-6125-7500-01000000C801}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.672{B81B27B7-6438-6125-7500-01000000C801}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030725581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.224{B81B27B7-6437-6125-7400-01000000C801}63246848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.004{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6437-6125-7400-01000000C801}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.004{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.004{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.004{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.004{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6437-6125-7400-01000000C801}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.004{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:20.004{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6437-6125-7400-01000000C801}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:19.989{B81B27B7-6437-6125-7400-01000000C801}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:20.431{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E3B18AC70FB7957DF15D4109B915E9ED,SHA256=13735823B73A80A74FAF07320D3F71E841C52223B0F250BC7544AD192C91B957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:21.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883DEC277F5C08C0FE3E8BB9368908A5,SHA256=D75F8F22B4D46B312C206FAE9B195F4D5D225F96426A60897F5B0E117606835F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:21.681{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20489D30EAA535A95D068A56B0AB2E29,SHA256=B407A71C56E2563DE4A4C197C6817AEE2306CD3B99F52C1A1292882EC66A4960,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:26.149{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58872-false10.0.1.12-8089- 23542300x800000000000000030725593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:21.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9496FF25B23304E3F2471887FE8EE2,SHA256=AD7F738837FD0DDF06B92C3911BBD537DC381B70CF9D53E538F35A434C3D4ECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:21.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7D8909560DE9C2A4DA61009797A2A7,SHA256=78F635D2B15F684220C6EC79A588A29C39D5F0A66FD8DDAC7889A5F2B872B856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:21.024{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEDDF90D928A432EFA9169A6BB6D0E58,SHA256=CF979536C93D3D86FF825A47E4601EBD06F2029E9E4EA33E1FED2E190ECFCB9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:22.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DCF64B1DB242FE649357BFF392F492,SHA256=251D9AF16573EFAB031DFDFCEA044B7D325DC25161B1D6364BFCBE0C8AB0D33B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:22.696{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341CD66D4BB61B87851E23941DEBF866,SHA256=B1520F2965B7A855624473A7352128F53A08EE4230451F33487AA885867554E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:27.170{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58873-false10.0.1.12-8000- 354300x800000000000000047956130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:18.059{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53795-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:22.181{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBFCFE75FB395C8579EEA5787B86AE98,SHA256=E9501B2CDC7CAC5A05917B01B64F9094F8E449A265B201EA26A0D0733E6DDE2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.883{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347E6BFB3DB43339F23F5256E9B7DAD7,SHA256=2E68DF47DFD09E7D0F0F92ACEFDCBE733EBCB44EE67C0BB0D4F2B1EFE0E55ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:23.712{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AF2D299B387AA8E1BEE383F242FE58,SHA256=70EB9D8143D381A5242CB5B5534885E58C67BE90D1B036DC240C5573CC73CA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.099{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-643B-6125-7600-01000000C801}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.099{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.099{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.099{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.099{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.099{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-643B-6125-7600-01000000C801}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.099{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-643B-6125-7600-01000000C801}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:23.084{B81B27B7-643B-6125-7600-01000000C801}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:23.431{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B88316954062C17B892940EA8F051311,SHA256=2C11F3D879DE87D88EF290E0C2D177E88D741C7346A3A833245C73B36D847CF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:24.899{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12C59F2123114E93FEB33CD65819C691,SHA256=1AFF9527F525FAAB8B38404F50ABB0E5E9109F2328B2B2924A6025CCCF39B764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:24.728{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE38628F81A68572B891BB3F3CF1F30,SHA256=B04103DFDEFE913E52B5709AA1DDF5A1AAC772F44FD273C694B097CD62F4B9CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:24.913{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A21FDDC81F3E64199B8C50342C6EAC9,SHA256=5694D25E159E24F6908AB87C8166F73EBC236196A433BEF56C87E9F6CB3D292D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:24.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9496FF25B23304E3F2471887FE8EE2,SHA256=AD7F738837FD0DDF06B92C3911BBD537DC381B70CF9D53E538F35A434C3D4ECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:25.790{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD57796436B7E00CFBD2039DA8C20968,SHA256=2E8893A36B55C4120178BAFA0543BC432ED7EA61421D5CE7DF11723CC618A3DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:25.928{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BF9952490F0E701640692F109A5A74,SHA256=E48552C9022DDBE89CD21850DF0BB337B2D9232CA936A6A6D44B46C49BAD8671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:25.748{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD0F43059DE1FC6D97AE5EE0C44D4E9E,SHA256=68606CE73BE446A633FFFADCF53E60CEB29D227066C69B3CC0E1CE21EB826324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:26.821{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13675ADA39C42743856894471B3F0CDE,SHA256=469C337F9B787D37F06A083E0128D662C4097802675E0FABF7A02E987F09369E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:26.024{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ABCE441CD6E3FECCDA0765CDF862C48,SHA256=2DFC41F16EC7CC6D42F0C0626997547A1AE9F7126A43CB95BEED2EB2A543F733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:27.853{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC58869D6607C1E7144C2E15F658F47D,SHA256=63B87EC014E3B81CD95E8DBAF1A5307CF98D49AAD8814F6E557057C62E8D974B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:32.173{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58874-false10.0.1.12-8000- 23542300x800000000000000030725611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:27.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E075F36DC71B6F874E10C71D99448D9A,SHA256=1FFD6C39653C842D52FB6D5B6B96D13F28B603B44E0BD6DC826E32638E380609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:23.903{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53796-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:27.290{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FB4A5D53730BB3D18036D1866B206D7,SHA256=BA2B534B96E7C195AA0A943F33CB57F0ED2DB0358F8A93F69E6B7CD91B89195A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:28.884{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C4EF50D82618B52894C183FD8E62EC,SHA256=F1CAAB38377BF444E0BA8A02E47AF5ED75AAED0E3E51BDE3971D511486006037,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:28.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69F2016276490C68EEF1A932FFB5C0C,SHA256=F1DE4CC19B77DBD0A2716194E1A75EB4B275F94586559308B0754BA62DCFD11C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:28.337{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=605D80AB2860238903B724489F4FD779,SHA256=A42A508D3161686E40CEDC92A3595706AE9EB068B4FB576914BA2CD8FE3A0A28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:29.884{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EBD0C4229B26A506D14DCFEB51B9C6,SHA256=0CC7AB228294B15F27FDD7AF24F0403303BB1961FF2E1BFC34736A617339E2F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:29.046{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B44CCE3F1397B97D071BA17E6308025,SHA256=25334549D7C73DE496D26CF1F1A8D8997CCB922A782C9DAE29EC6F3DD383E922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:29.571{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9F056AA283B5137729C385245A55CF8,SHA256=90C70B76E87A137CE5D424B25E49AAC0A427DF53926B4FF48ECD34655347337E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:30.915{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C9D9A49C49A5AD57815A2EFC449B6E,SHA256=811503F48B9BFF9035C5B0E7F526023A7D823E358248CF026E3368792E22D9C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:30.108{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BC79D2EE8299DAB1330895482AB4A1,SHA256=617406E23A6A86E3D0A9A0E43EAC43EC927B7B98B4EE981A72A03CA84406CCBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:31.915{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB8C6B8D7966CC403C4E95973D17C9F,SHA256=CE0C1362BBC9F88F82E124E81289C480720F7071A3CCB922CEEC456D3E1F33B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:37.190{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58875-false10.0.1.12-8000- 23542300x800000000000000030725616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:31.140{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEA3A1B7FE8DE7B79A7DFC86C44BC07,SHA256=B0333AB611BE9EEE56F3FCDEEF764FCC01A1B084D17CECD1736CB5979E5871CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:31.087{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A13D591F76851195B7F64EC7435B2DC,SHA256=D1670B3FD4D75D3FEE37C48A6611A4DA9EE20C78546CDCD10D4AA4CC55B566CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:32.915{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76FAB97A44B0071A0CD6FBC41DB3F57,SHA256=2F5D00DA1DB91E9E4294131C99A5902B130198D8C57F019766796B728D8B4B61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:32.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997846DD768523F44C4A9F0CCAED25C0,SHA256=AC338B4ACAE0951A76C24E551AF68D3B08254328110F891B499E84C7161901BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:28.981{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53797-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:32.181{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F3D89CB3C332BA2B215629DEF63E029,SHA256=94CED8DD7C112EF7C5657B68B9BC3C5ADBF2BBD591D44B602DB64E7CA2EF517B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:33.931{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0667A436822ABAC8B5F585EDAF2F31FA,SHA256=857CAB684FF50BE299E5AE7F50C105A7F603799752900E79BB0D4859A225E355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:33.205{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EE7442DF7C44DE52071399A9F604F5,SHA256=2A7ABEC2FE521A44A818B2CEE93BE946855BFC0BB1159767B7FFB06E0DE8BC80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:33.337{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A42A291C7ABC45E3E4EE3C16905FD1F1,SHA256=105BA8AE9B5237CFB477DE8F0821CBE3F708E10728D7E2915E2C437EE1B90D47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:34.931{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F943DA9B6A6E5D616224CE791C8A80,SHA256=A4C0E7489FCFFB1B2D91AC6A79D66838ADA2EF154C8862B1058D1A60C81542BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:34.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775B128D1D05256D3329A1F67B64AE12,SHA256=14473407839BB3EA019978800BFDC3FDDC0F1B3B5A6AE85F9140295394308FEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:34.618{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EDE57345D8BD0BD95769E8842D62AFF,SHA256=63FCA138B015F1DFD5EEAC4BB4D2E1A40D4C88C14BB63761AD05F003A79A399A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:35.946{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A256A75ED8F885BDA19AA614C2658503,SHA256=0A618372DDE33622E693A48CB4E19591ABCF3C5DA2E74A6017ECA0AB449C6E56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:35.257{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9610167012A589F718CD0A94FA300F,SHA256=43950637F8EE781FFAA96C869FBA541751FBD7E288F892C931D7716E337483CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:36.946{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1991A896C32D3734ACD901EFCA17DBAF,SHA256=0CE7424167EE49C77555239DED7B6377B846A398F0F0B6F0D0E448C72D0655B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:36.287{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC1424FF4896B7AB8C565FF37094BC0,SHA256=932F4592342EB3FA5B6677E5EC0A63F060CB6DB772D20DA181D453C2646113A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:36.227{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF7485A35FACA2DF8E95A886EB401119,SHA256=90ADEEC90C9A370E0F44F3598FDFEC9168227605663D5223A206861CDAD5E6C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:37.961{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F832F9C989EB1F22AFF4B43503E771F,SHA256=F59DB93497CE8810496386C8C9D5B0FD7FAC83336BCDE7ED07F9FEA5C51A3807,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:37.318{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D038E3026177A7F2CF994404AC3B96,SHA256=81AEEF5BA81975D8F8100C3D56119042AE367EB23276068AB075087C7D9CB0EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:34.074{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53798-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:37.274{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFD2D4298455F1191454A75BA2D19927,SHA256=2141F318E99498FBD32577B8200614A6A1291252EC382DEC5D362D9851718233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:38.977{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7B664A2531EE0FBCEA7F64167073E4,SHA256=B1334E5B3F804D3C2EC18584CE9536D2DB8FFFCFBE9E11237E77F5DD07199506,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:43.000{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58876-false10.0.1.12-8000- 23542300x800000000000000030725624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:38.335{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFAD2A6AAE0CE8E277BBA69C4FFB997,SHA256=B93D1AA747A9FCC8C24D24BA552FB2BC96191B3A8087FC4462F680F6D9567D0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:38.633{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D5F2B625E265DA3AD0E93EF07265BC2,SHA256=CF78ABB7C2ED40E81D19D399B2E01E4D48E136E5152729CBF406565AB78ADC88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:39.977{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FDF52B9A4C87F20EDF1BC7AC8C5A7A,SHA256=04B479E66FFB1917FE1B41A446DAA3A4106EFA6BBB1A8FE78972EA370AAD86B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:39.353{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC00D2CA09707D23FA3EBFFB1D5540A8,SHA256=95827274172BC8B9ECCD369936910D034397A5B759CA2562D76B78865D33FB4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:39.696{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49548871A6FD0F820C19FDEEEC76C15B,SHA256=18BD5DD8BE55A39791B83EC7A1331FAB1F6333506DFAEE4C8FA44F1AB6A653BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:40.992{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5457F12521B3BEC3897A63F293D5A65,SHA256=6BC3FD592B09C3D911D1699DCE1644B708DF895B1F39BDCDFEF0A81AB4E44899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:40.415{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CC62FB811558E5DC9BC1FBB15BBCFB,SHA256=D3DC033DBF8648F5C0C1427AC0F0655443E89810FC81CA3F183199F0C572A7DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:41.432{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DFC54308A9E30424AAB195F13D990C,SHA256=C6ABD38AEED6739D50FC803898F3A377F05DC9EC1C3EECFECA260B4F86C7116E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:41.180{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=633B3530C4A4B10EBEBE2C5795B9073D,SHA256=5D9863E0FB33AF16D308919722BE28831B7BBD44CF672BA4ADD9BC33747CC522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:42.450{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF5EFD6373A076C314858AC698D60FB,SHA256=23291BE39095523FD83A4DCDC6D239CB865667AFADAC3394E12E2F84EB0A9E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:42.289{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C31308CB9DB43236807F34C2EA8DEF5,SHA256=E62F36EAEF2D7C48CC69B23C3BCE7918E0791729BF56F0FE1E1FABDFABB3E8FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:42.008{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2FD35163EC368F4DE041B1E6AAB3B0,SHA256=19C73B2C6A44910E57763139BC5E1849A8ABBDBBD70B5D6CB75DF8D812BAC9DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:48.143{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58877-false10.0.1.12-8000- 23542300x800000000000000030725630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:43.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AD2A06BE376A52B796D792670DA440,SHA256=62E2A75ACADB30241B871DDC149884E3CB2EBFF6A3B9E680EF70A69BA7F271B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:39.887{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53799-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000047956231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.664{3BF36828-644F-6125-61F4-00000000CA01}844184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.664{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.664{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047956228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.664{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2250DD6AF9761709D6010A101E0DE8A,SHA256=7B235FD8E49F8C335828577FC15E672F0F0C72BC9D5758BC89E2878E05E3304F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.477{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047956218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047956203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047956191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047956188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047956186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.461{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.446{3BF36828-644F-6125-61F4-00000000CA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.446{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6F1679878DD88DEF2E5B3A861501DC1,SHA256=D35A91C6008EC4BED00221FD485E26F8EF3292E5EE4D8FBE9F6AE60D69B8DBF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.008{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5334C01D5CE630ADE86E09B599E79C23,SHA256=BC8AD89904650DEC66EEF5D7F6DBDCC5A7D1C2C7DBEAA911D058DF17ACE1F816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047956172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.008{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.008{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:43.008{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:44.511{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0C03180FE432938BE67EFB5A8F06E7,SHA256=EA35F8E3429345B10DB0D29102057E0A2389CD04640D5B7B170FF8AE8B9E773F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.946{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=428B76F9E6980549A2656CCBBCAEF507,SHA256=F4AC427EABC669598FBB0BB7AD37F53CE89FD33A7C14740E00D999A557A998CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.852{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047956353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.852{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.852{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047956351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.836{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E99E57534912EBB4D615E2EBC9EA2E7,SHA256=83BD2CBA1007BCCFF9C094ECBD2EB630730E80DA0D3077EA856F905FC42B40FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.774{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F32E36AEE243417FBAE338A324D09A71,SHA256=3041BB15823E985B996D47F8A6108DF0A52FD09FAAE25C0630E8438ED7481E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.711{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D23BFA4E71AC5443021F95EB46EA26,SHA256=E8D7128689840D43D76F7816D77C5F3DDA28583DA5A1CB88E44DEE540D9F592C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x800000000000000047956340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.680{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B54C250B7FA8EC5B8ED79174FDF76B,SHA256=3B54DEE1EC158F4D6CC951D69841C658A8B9DBAC9A4C45D6A7876D67B5770042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047956338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047956316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047956313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047956312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047956311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047956310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047956307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047956304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047956296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.664{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.653{3BF36828-6450-6125-63F4-00000000CA01}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.649{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C911929B0C0E5AC7E6F814F293CDB2A,SHA256=972B4C9CCB897E4D9E6F422C5345445232765FEC16C798D288D4CB36A885EE30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.211{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047956288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.211{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.211{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047956286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.071{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.071{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.071{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.071{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.071{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.071{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.071{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.071{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.055{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047956253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047956250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047956247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047956241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.039{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.024{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.025{3BF36828-6450-6125-62F4-00000000CA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.008{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C8FF1F758A08684717AA8A28F8143E,SHA256=D46DB943CC480D6DC0A20521F49E17510B119889B8F690466B31FC4C6669B03A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:45.527{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E85669610A568BFBA068DDF8E1EBB,SHA256=CE2CD98488581B8B1F54A77C895C6080FC3F9836FA5951E9F0D2F8BA705BEC88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.821{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8873A69274A1EF4A24D1C2BF200C31D6,SHA256=75A8138505CB82E48EA07DEC357DC92776D11F3F68B22702014A1F9F6F3C03FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.758{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACC9D1CCFB40C566C52DF7BF7503FDB8,SHA256=92E66B44AF5A957957419FF26D4324F1FA8A46D8A683B9F58A8757A842D396E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.696{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E3AADF6EE7171C2676DA7960D211C3,SHA256=6AD1CD62A54ED2E67E52FCD54E27D07F892B4E07E727CA7A5AE71CEC0F526BEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.664{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F30D09A67E4657C09690FBB0BB9C53,SHA256=FFC50B6F5C39D72F32823E4927642F7044A1D2BC6F94562B21346E41E5AE94C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.664{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDD6A1B1D74AB9F1C58B0F88D71C8457,SHA256=D69E10FE437BC354672B360A73B863E7EF053E00295450B203DB9095DD8BAD4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.492{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047956411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.492{3BF36828-6451-6125-64F4-00000000CA01}16086116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.492{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.492{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047956408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.367{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.367{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.367{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.367{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047956373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047956370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047956367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.352{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.337{3BF36828-6451-6125-64F4-00000000CA01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:45.024{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CEB0CDD1D6A76ED75EA0693CFAF53C,SHA256=3FAC035B978F983851F6D47FB8872F71873E14A0F3305F1CD60ACEE13AD7098A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:46.577{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7884111E5C56E92FE4FA9A6723526A89,SHA256=7D70FF9907D02A24F636CD9023F3434EDBE25508508110EE6F1A803079D084EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.867{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047956531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.867{3BF36828-6452-6125-66F4-00000000CA01}41525636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.867{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.867{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047956528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.805{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4882BFC466128F7242D79A6CF92F99,SHA256=5BAAFF32EF682D2AFCCDB991DA7A7209F19503A83A3D2EB02D6FBF065C97E51B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.805{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0D6F69848083097A0EAC7230D7F4488,SHA256=CC25C975DBF2B5E5C156ADB6F08A24302FAF654A73E8091C2EE66A9A35541826,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.742{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.742{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.742{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.742{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.742{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.742{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.742{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.742{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047956491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047956488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047956485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.727{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.712{3BF36828-6452-6125-66F4-00000000CA01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047956474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.196{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047956473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.196{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.196{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047956471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.055{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.055{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.055{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.055{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.055{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.055{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047956460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047956439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 23542300x800000000000000047956438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3E0A89AB3FA02A380CFF6A28FBF015,SHA256=387C1A8A2EFB4ECCDD329A647D05204A0D4219C1194C5DFA232C92765A311BAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047956434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047956431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047956427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.039{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:46.024{3BF36828-6452-6125-65F4-00000000CA01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:47.607{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8852F20764538B711EB049AF8DDD5B6E,SHA256=99FFA40190F5FE65C4D48C9062951E355D36E7220A49F3651B2B4466CCD9A3B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.836{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0E933C516BF2FC3A3337AF71A6EF3BA,SHA256=A7436ED5459880885B192196D61B8DD96E819DEF8C599A0FC9F044D5E242D557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.836{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CE27FC98A45DBE0969FCDB4E9FA994,SHA256=6D9B966FAF60415B1E3EA6167ECC30D7A117586AEDA1133BDC6B6C58976B83B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.571{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047956590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.571{3BF36828-6453-6125-67F4-00000000CA01}42203684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.571{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.571{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047956587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.430{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.430{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.430{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.430{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.430{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.430{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.430{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.430{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047956553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 10341000x800000000000000047956551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047956548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047956544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.414{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.400{3BF36828-6453-6125-67F4-00000000CA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.211{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A389A6AD4791A3BAA174B8EF1DE87E58,SHA256=F44B1082C16359E560F5A439DA6D36C9D5CA729F1928958E8D007B9EE2F7A686,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:47.164{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB47A4B97B6AB93D5B75E685F2238BA2,SHA256=A66B9B05E4717F3F0B0974017402011A973451C724D989838495D3B88D800415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:53.974{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58878-false10.0.1.12-8000- 23542300x800000000000000030725636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:48.624{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C16957EC4BE4F28B90B0346FA1E7E5,SHA256=2212222A6B5C7AEB47F78D9CAA5ADE20529DDEC4F5171515C5D3729E92F60AE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:48.196{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E3D89A0A2ADFEA29B775110721F8BF,SHA256=D7316B9F96B9EEF03CED0DDED3751B87FE74487128C86F1AFDC5FB0CC6B62B53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:49.658{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C3383D2F0E70273F26A22E0CC84B60,SHA256=DFECF42D08EEC7E2A0816750A8B8AE225E8140017A98F75759FB403D79930F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:49.211{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B8AC48990BBCD6B5B3F2D5D8340DBB,SHA256=E23FA583704F32FBF1A7C5868CB7570833D339FB43E98DF8A9FDE2B5F770FAFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:44.980{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53800-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:49.086{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=354E66DB8B9BD2CC6B04C7BB1B9E76A4,SHA256=6CC353DDD14D5BBA38B6CD64E08F32DAF5428A02604509B5FCCAEC109FECE1F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:50.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC08C51F5E52ECEE2AA6C9B0ED53FC0F,SHA256=5576A7253A6FEBAFA6635C644399221A0D255A8EAA307A419A17B47C9538DCEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:50.367{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B376CA603B3DC5380E4A1BCB3861723F,SHA256=BE5C64996E70550CF33A0472CB6063A17996E75EBEFFA205B290746A6757A33A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:50.367{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E9B5A0BC8C1E76068C1C4CC822F294,SHA256=FD16EC97134B7412EE94CEB47DF11A2751F714ACF6AB041EC3F92890765A4394,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:51.687{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C94EAB8051CB399C3FAD0B8B531706D,SHA256=0E35282A6F90415085954E2BA9B3E7685771C9C3019D3E34F1FCDD8112539C65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:51.508{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD74B3A176D2692133965D03076F2B75,SHA256=4251917049A00C6D73AE6E64D054A2089612715B51D5FA97673CE1A0CB8038E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:51.383{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079A95C06FD0ACAFEED475FD27025579,SHA256=66B4D23374F3A41B4EA22C3327125D2BC387383D4ADF8D43A69F83CA805C691B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:52.719{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00D3D7CB4AC6C225A2398DD6FCA7871,SHA256=12304EDA14AAAE7C6C66CCB39A641E6E2D72F5D854CABDAF94BE0D33A8ED0ED0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:52.555{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9CE83464CDDF820A404E1646C529CD2,SHA256=B9C8AA8DC861D0224589C6502EF284A43725865FCBF48879FF0455917F4F0067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:52.399{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6681EFDB62717702D996D1A85827E2E4,SHA256=83AEE97D8DE300D3E76A7615AE0C3CE83043C46722E8BBA5F544E0959EA48540,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047956617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.821{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047956605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.789{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFB0D0483007A9636349B262689C60E5,SHA256=7D7BF6EBCF01C4EA4AF459914CF818C9F512EF35297D17C5ED01328A5AAD62C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:53.399{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC140BE56A4C74AAFB46C38409310DF0,SHA256=C63376C3F643E7D798AC373E41840C6F420D4143E9FA74BC5DBA1A80419484D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:53.955{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=BC127CDFF683891CA020005A3946ADEF,SHA256=815178192BC67D8B0B01FAD27C8DB3B824947B5A52EB40D12B387237129AC6B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:53.955{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=86741F6FC3D92322E8164E09E5313402,SHA256=2EEAC2CBC7494F5F6D35D066B01808ACB1D87C356440417FB1DACEC3EBE508B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:53.955{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=2C07FF975A31EC17892F1644C97DCC9C,SHA256=F2C782E4D47D700574A8F8B5C2902FFDB6249BB01A63116E3880184B9F5B9AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:59.084{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58879-false10.0.1.12-8000- 23542300x800000000000000030725642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:53.771{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736932C393DDDA9D448CAC19954B9490,SHA256=1F2AA74969D53547432F76B828241F9C94F9217F5CA76D4E691C5B3B88D4AACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:54.801{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F10C96648A6CDC2EE42FD7703ECA1B,SHA256=91EAD51847E6F4EDAF57EB1799E4B298D9D9733D6980FECD603C7E11151FECC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:54.930{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80EAD1795110337C9367C523197918CA,SHA256=C1FD78AD48A9F02CC80D156632690F2973CF58C44FCA217121160B9369EAD9EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:54.430{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572C79B2C31F82C496C8764AEF2E6E75,SHA256=BBA8920F6FBEC994FBFAC36F4E3BBA67787A6E86EABC1518435BD6F0DDADAEAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:55.853{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FDFC7A1063219C2CA7B0300535547C,SHA256=1FA125F8556EA9CE7A5B3E46859C636D1D76AD8F06C51ADD8FD82C6AE55FB0B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:55.446{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA630BD8C51D4AF4759437E06E41CF6,SHA256=AD3CCC4CCB56A7DDF9CEC2D16B657BA9C326AFD5A9CF43DE179F130A8CEC3B9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:51.012{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53801-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:56.855{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583871411D4135091F74BE55D1AA9FA0,SHA256=2F47E7E467F4FFA72056B1FECB9E12CFB81DC625CD35A4BBA405826E2E29D7F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:56.479{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952D18847CD8106DE82321025DB5ECE4,SHA256=67B2F90F282AC816B6A6DA76912FE774AE4867F6A37419691A01A70561FB82C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:56.167{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C61108EDFAF03342AE020B3D4047A88,SHA256=83D677E066CCA346E71795E5417400AACCBB9055015979AE657D6B7372D8A36A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:57.871{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFC6EFAFBC3346E266DCCCAE47180E5,SHA256=C6E246B9D988477D7F1B326FB6F4B5BAE6CCCD004731DF6607C8E9A22D56F096,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:57.667{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=544309FCD0947B58CD46BBE4AA8DE46A,SHA256=3F08D20ED5D20D946326958B7D7BE97403754FB939A5A13185C7737BC185B9CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:57.667{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381AC8AEEF3D42CC5513AE7EE5EDB7CB,SHA256=B3BA3D68A4B5ECC383191CFD1ABEB5CD44433A4F99EE157A9D109BEA18AFD8BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:58.901{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4767E4849B3EDF5A482F6E2E514518D8,SHA256=550C691CDABB0C8FF540C5A618A8B5ADD6EC85A49EC8C4162CB352A78FE3243B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:58.667{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDCBB709D886570BF8F1A5B725526249,SHA256=E99C7A3D22B18E7B7EAB6343391740A541DEAF8EC8C26A90A8AD33104A92EA39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:58.667{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B724C820A31779E00D3D67413CA1234,SHA256=D5C0ADE2ADCD2C47D53C999EB3CF256CD8E843A0B483DE9924B1880B24FFB83B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:59.745{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12B3CBA7A6BD199E7AD3BC9890E8DC07,SHA256=EE3DF9524AB8257905C906322284B809C3511F01C5CCB162446DE215BDAC9D50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:59.698{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC41A1F3FF84F7DB5C04E68F7262DFCA,SHA256=08071BCED021F937BE51B571519F5DB69E33297DC2B401F2FAE1CF1DE0ABFBB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:27:59.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D89A9CCC80283DDFE382E9DB1E0770,SHA256=7DBAC7616577E94A1DD7B80B12B6F1555BBADCAB6ADB2D3D955B969473B1E462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:00.936{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D91034C5517339D719C4D2B469F0A65,SHA256=878CE6983F02A348BDBA7A0A4088C0FAA40719617E1E62DDBECDA6423EB8DC1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:00.762{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DF859C06C0D8FBBF2ECBFCFA31A274,SHA256=845C0FCC547294D9C363F161A0DD82D0FD24DB8A034FBA5A5E0F343E633A91CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:00.952{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0158F2C3F12CCB387E28E9D5F3EC431,SHA256=36708A318BF6C0836DD4605356B796B0A1EA34419B52E061DB39A4C85A19C382,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:27:56.076{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53802-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:00.168{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2E7CB9EBD889115E0090603C78B894B9,SHA256=21141C67083491B720117448888C5F4FA9B13B4327D85D790B08BDB4E29AC0B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.147{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58880-false10.0.1.12-8000- 23542300x800000000000000047956633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:01.779{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4121A047A4113CA50FF0581A01BC7365,SHA256=8D5EA3DFE339439748495AF2CF867724C1342C358EFF73B9C49AE211FCD16676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:02.814{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98A3C08C9A7EC06090F05D590430FCE,SHA256=762D7EE8D582E80FAAA4C7EE7A97B26BF7753A2653C42EF53E07797C26AF4C52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:02.111{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AED2160AD9BDF1A4867750EFC6A2D858,SHA256=2A36129C53FC9DEBEF4F78805A1AD5F4154AFAC7DE3697EF93A70A798FE378B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:01.999{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824CE954226F2ABC0063FAF74FDD631B,SHA256=ADA010932BE23027EBED82A3B4BE38DBC6E3AF4D17D446F540B3E3BD57A0241C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:03.814{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB89CF4A38D6387BC0631856C4842A87,SHA256=78515620C8CE7F3BE831C1C96CEE84861D1D4514C38739315AA7730A747CE75B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.865{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6463-6125-7700-01000000C801}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.865{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6463-6125-7700-01000000C801}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.865{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6463-6125-7700-01000000C801}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.850{B81B27B7-6463-6125-7700-01000000C801}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:03.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2676571BCA63E1CF2BFE7B28D99ADB,SHA256=AB14D3A6379542FB004DE9A693FE9A07FCBD1AF27B8E902C79799B09668667E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:03.204{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CEA523A7E06F2B2E1715FEF973CD3BB,SHA256=F1DED9C2B12D638A87C9D9110FB771184AF268EF1140842DF3B2D23264B0F32A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:04.861{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A000E048C86DCFAB184E5D9FF87E15B0,SHA256=3AD3FA978DFB3830483B85F766F3DAF10FDD9352E80971D5FFA373219917201E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.729{B81B27B7-6464-6125-7800-01000000C801}44006228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.549{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6464-6125-7800-01000000C801}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.549{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.549{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.549{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.549{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.549{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6464-6125-7800-01000000C801}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.549{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6464-6125-7800-01000000C801}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.535{B81B27B7-6464-6125-7800-01000000C801}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:04.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEE83C0198C8910B2C541F237F1F6D8,SHA256=76CCECF25B8321C737C1F3580DF3878DC66259765B1FDFA9D182017A8869DBA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:04.329{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAB76665D621D484F97DF613FC3315C,SHA256=15535A09571B659ECEED802EC5847DF6CC57575813E1D2BCE963883AD40DC7B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:05.876{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0394E5AB24C5F08447C23E341EA1D38A,SHA256=4712DFCEED77D7EAC47F123267988024DAAFCE7487485B66D59A5E98D4E05795,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:10.095{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58881-false10.0.1.12-8000- 23542300x800000000000000030725678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:05.087{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67BB0D097771A6FA93F74C981B5723F9,SHA256=1D161E49363C7B99191DD3BF8340464DACB513775D387DDD8D8D625FE07552DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:05.087{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A7CCDA7B9D4808DE22AF13033FD290,SHA256=BB5C20237015C2A2033AEE02C24E80663F2B490488B331E800490290DCFAD315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:05.040{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F92A0EEF32082F2D716D3851E45F3B,SHA256=2417567F115C16881A0CF5A25202A24ACC1C32C75DD52FA0B41B628926CD85BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:05.626{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9B3725D644914C042CAF74B16AA6C13,SHA256=C8DEED6AFC5482D263D163975ECF1CD79B43C44CC6ECE8E80B7D2B1D7520C529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:01.849{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53803-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047956640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:01.849{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53803-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047956645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:06.892{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF6EE863A50136B87D7217A36C7CA4A,SHA256=E5270B3E1A4DB83F924D368FC914B6B31EAEB6A4B3A3FA05ADFDC45DA6428469,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:01.880{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53804-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:06.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F3AE3B2686D256C8D4868C7EE8149C,SHA256=1DC829074A99F88110F850A02A94D767645CB6FE2F53D0E3756B9DCC2F44C218,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:07.923{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E15A71E882FE6F8D778FB8A82ECCA9F,SHA256=5D279A8F133BDB99D0A17FEE1A8FF5BD3FA0CB3E98F3508AA78EF88995F165C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:07.126{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DF5436FE2C5A2DCE61884C1139338DD,SHA256=BB238A8456E5E0B774BC0B9B746EE7598F80E32D4B44D9503D3BA55584FEA91D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:07.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC5B06EC076BF1A872887C459DE3D70,SHA256=748552EC33A07A673B10003207BA008B2F1BC8EF422465AF7FC11E1F8AA07837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:08.986{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C7335B5CCAB602B6C5EECCE64F437F,SHA256=5C77C6742C0AC9680184C976D951D8A856C672F1908D5FB17FA67E9A9E72D6D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:08.251{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BCEDF434281D2A1DD111823C4D4B423,SHA256=64C2D3E6AF5A3279C33E6E851DB028ECB9838A8399D7C9204CC0AC94DE60EBD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:08.116{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F33DBFC5B0EF61E0A47978E472445B8,SHA256=AB1F45BC000EADCFF23052496D1E3EF668CCFDE16E2E49D367B51AE693CD38D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:09.121{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85FD406D5AEADAEF1F41472A6DA3C8B,SHA256=AF528E1D91E78CA3FC758413BA9BC80CF4C4D6411954DE695EA5B4BC8CE6480C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:09.376{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3A85790EB1D7A8CF394A9B03EA3AABB,SHA256=711FA712D7D2AD3FA232B5FF8EE37951879F0A989283F8883EEF1570E5B438E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:15.148{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58882-false10.0.1.12-8000- 23542300x800000000000000030725684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:10.139{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0354F6D87312EDD6F0F1595816FCDB9B,SHA256=F2EC897B31AB2B6D5503277881665F206F8A4811EDC7D9DE136854DACF805DBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:06.973{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53805-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:10.548{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D65BD43BB910AC256765BA29073898F1,SHA256=8D5285E342D5599227E2DDCC65E5734D4B9BF804A375982F9A73AF9A20E28FE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:10.001{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D89B6EC13DFB84DE5B87E507C86A42F,SHA256=943572202A8430F11F4533E8E1CEF5F2715A438B904E63A0EA23E3E6F1DA26C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:11.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D06EB4D470E44DE77930B9DBBB583D,SHA256=BB42D9FB45A166F237F9CFC9A6BAF978B55CDD1BD7B5AE9AD0B5B878C25ED3C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:11.658{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA3019BF97D34855AFF502FF4B106B04,SHA256=3CBE7463F8E72C6E027C922795BAEBED31134AAAE7C00320E79A05F66CDE6BDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:11.626{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:11.017{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA847F0EE6E62F28BF197719E5056DAB,SHA256=E94FE76AB8074BF9181F852D0272F8ED496F4A26854C6BF48E0D4816E055D147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:12.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2163FA752A1DDF19F54E31B7F4EADC6,SHA256=15847FAAF6BADCE5FD8D5D9EF07512F0F0F1D8CC0AD719DD9C6778811C7415A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:12.720{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910CA63A00BAB369CFACA23D016A1186,SHA256=CBE942C03D022324A086F41F9BAC846D7BF05A2DA80FD96250C22B3BF1EA1D3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:12.048{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D89E6F16B008739250D294B87FF5110,SHA256=28CFE661414C77CAE805ADDB26E4ADDF4D259AEA5CCE755953BFF4CEA577387A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.997{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.997{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.981{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-646D-6125-7A00-01000000C801}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.997{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.997{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.981{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-646D-6125-7A00-01000000C801}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.982{B81B27B7-646D-6125-7A00-01000000C801}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030725697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.516{B81B27B7-646D-6125-7900-01000000C801}58287116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.335{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-646D-6125-7900-01000000C801}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.320{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.320{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.320{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.320{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.320{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-646D-6125-7900-01000000C801}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.320{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-646D-6125-7900-01000000C801}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.315{B81B27B7-646D-6125-7900-01000000C801}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.251{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB2C6A1B0B05F38A2305957DA525BDA,SHA256=2EF95987A2D60416E4033F418B3386D7BC2B44C7A6CBE72216C751F11937104F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:09.458{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53806-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047956659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:13.079{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAE764D9866B7F125299D36117A119F,SHA256=72943ACBC490091EFD8BF305398E7471204E28564126BE40ED8CC3B6EC3BA56D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:14.350{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8CD8D868CA9011F294EE1DACCF012E8,SHA256=E6C2AA484844D5C9D3C9C49D413C397565EA9D45DEA20BF5CAF3FE8CE667C8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:14.350{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67BB0D097771A6FA93F74C981B5723F9,SHA256=1D161E49363C7B99191DD3BF8340464DACB513775D387DDD8D8D625FE07552DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:14.281{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5333E72E029AC3B6ACF4007A88584F,SHA256=D097EF95F21A2CB44A74C34AE9DC213B981F150143AC14AA5524251E43EAE14F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:14.251{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED2D01BCA50FC32349F717B8EA740C68,SHA256=D7E9260B36120B331AD4B7F908FA48DC276AC834CAB610D6E89889B74B6EB340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:14.079{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F061AEE94136FA0241F37165E3F400F,SHA256=8FCF9CFE4527A78B23D6DFCCF6F8EF6AC639F823177895A7C6FDD46204AD289D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:13.997{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-646D-6125-7A00-01000000C801}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030725710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:21.026{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58883-false10.0.1.12-8000- 23542300x800000000000000030725709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:15.296{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A63AC85D8421D95A87FA4DCA8F923B9,SHA256=EBACFC68B6AD33EF41ACB44AD86BFD8D8E2A64E1B17B153F1CD66876871DAEA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:12.009{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53807-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:15.392{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A5761106924280B74BE6CD64947197,SHA256=604A0F80F7A6D5329C0637F9AF777B0F3009D6139DE52C6369AADA12D007D0B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:15.111{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7F414113E526C01A1754723EDD480D,SHA256=07991D72D681D90A85BDA7395BA5A41F5970029DE0F6DF33DF8962B35A4D93C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:16.313{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B60511599B9C847543490EA2C6C7CE,SHA256=FD8938D27593D0205ED05D1EE8651E75372847B0B9A9C4E94C7CE0A697908D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:16.531{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C1ED39A08933780F98FB9A1C06518D6,SHA256=21CC2E1FB613A8EFADC6D7932A72A684D2903CF57EC45FFE8BA4D16BE481B46C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:16.125{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD453AF909E71CCC70D6838F9FD7966,SHA256=454499232A6907005935FFD29013FDF280971C52675266B946CBFC4D2D173982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:17.338{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFD02EED6470FEB01999403141127ED,SHA256=05A107368EE4B6F8E0F71A880A60841457BCE31A132F2E868B26680A99762328,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.781{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E45F52D6C4627D08594B3A28288BBF5,SHA256=E8597FF1769472F50B671E047DF163A28E277706A7163A15406905E010E20977,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.140{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B615C63FB4D963136F2EDFCF2472E4,SHA256=13072567F8223D794589D41A15E831BF8FE790B7367EF980D7BA7703AEAE4CF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:18.364{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBD0E1642C13581C2971EFBEEA8401D,SHA256=255E6981A24C34F1486F7F8B7DB94C04B89A7DE7050DBF3F5656C0895051BD58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:18.140{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70074126DBAD139A42BA1E3E63607FC3,SHA256=D7578261F2237BF8C08E1C2DA569F1D3F1B2EA1486F15F9120B2C2303084E99D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:19.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFED2C1FCE6353AD7B6E42CA663E6C4,SHA256=FDE2FB4EFBCC98FF574319082B90A4FCB77CC66F8E56A07DFEC04FA4CB521493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000047956675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:28:19.375{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x800000000000000047956674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:28:19.375{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x800000000000000047956673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:28:19.375{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000047956672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:19.156{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB263722858C7A0E85E5316E138ECF7B,SHA256=0326711F014B79C930893D533A678CABC7A6B610D9E8262309A791C671B2A4E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:19.263{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:19.031{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BB6E441B4A41B471B7A779A2250F1B0,SHA256=A581417A1B883ADFE29272E2ACD3691AF464119E4DA88678376141FD3C80041A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.236{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53811-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047956684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.236{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53811-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047956683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.228{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53810-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047956682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.228{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53810-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047956681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.207{3BF36828-401B-611D-0D00-00000000CA01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53809-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x800000000000000047956680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.207{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53809-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x800000000000000047956679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:17.065{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53808-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:20.437{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A3537B655EE0B50CA2003268B63A432C,SHA256=763C1E82F2820DB0F62EDA9986F4405C7639C8539FF47FF83B98C87001E78473,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:20.328{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=230CCB83E512F3239B3D0A01B6043B38,SHA256=001336002448E3A882E0F248F21AB06BDE754A8F4D1C9253DC0D521D049E078B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:20.171{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF85F4AB4F0AFF15468DF7776F3EC7EC,SHA256=DEE1C80074E2ECEFD433C072AFC92C9C2333C084B817F5FFF02DC6761608415B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.847{B81B27B7-6474-6125-7C00-01000000C801}59326112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.677{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6474-6125-7C00-01000000C801}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.677{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.677{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.677{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.677{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.677{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6474-6125-7C00-01000000C801}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.677{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6474-6125-7C00-01000000C801}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.663{B81B27B7-6474-6125-7C00-01000000C801}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.414{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E8ED7013541B744E7BF03D62213451,SHA256=7675C887B00537CD3291753AA4F651492A712AB952E077558614EC34E462CBCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.210{B81B27B7-6473-6125-7B00-01000000C801}48244716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.015{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6473-6125-7B00-01000000C801}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.015{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.015{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.015{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.015{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6473-6125-7B00-01000000C801}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.015{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:20.015{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6473-6125-7B00-01000000C801}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:19.994{B81B27B7-6473-6125-7B00-01000000C801}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:21.446{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030D118E7950ABA27EA8B48F64AB65B1,SHA256=0B350D4026CD5C2CB0DDD06FB40CBC7A2819672AB2712E538D351F2FDFD08162,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:21.453{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52B77D27128E7DC2CC9F03148C8E4579,SHA256=EB426F63393DC704EF9B6C8187D02CBC6E95D212795C53F9DCFE4947B016BEB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:21.171{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E554190C4A61162C04E6AE564AD2E4,SHA256=8483F952120A4E2700D44ED79A8C6BA0185E8044490773AA5207EE900AAD2A5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:26.177{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58885-false10.0.1.12-8089- 354300x800000000000000030725737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:26.162{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58884-false10.0.1.12-8000- 23542300x800000000000000030725736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:21.015{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=689817F1BC1892E41BB76BF74BA52A83,SHA256=B23C9EC771D0FB7360F385C26D5D4D1443DEBE743F1E3786FED963D5202FA81C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:21.014{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8CD8D868CA9011F294EE1DACCF012E8,SHA256=E6C2AA484844D5C9D3C9C49D413C397565EA9D45DEA20BF5CAF3FE8CE667C8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:22.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6CFF1F47A6C964DFC6AC7C3E3990A4,SHA256=970E39C162FA2AA39FD9DAC5A178F84A9B65D33087A141B2B17F7A62F0A5FA8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:22.609{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=139A0E9FCCEB6058540C4315701EA46C,SHA256=36FD982086ECD05C499C0569D7E86F200AD2FFE1362EC7BDFE9D1306C6C48C96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:22.187{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCFED090FC854570A4A13BEDD619312,SHA256=7A0F07346D88E611442738E8DE15A9C73FE01545E33EA4E3E5571925580594D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.514{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C067F6B43D8DCB94846AB541166D4C8,SHA256=6A6BE230F37A2B91AAB61FC84379111883E765DC2BBD5C2710103EB0177E8ECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:23.187{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFE770F39B1CA1E13C7C1B7EBB64F9D,SHA256=0D717E6E797D89548CDD0225E940661D5475FEE685EF5237DDAE7CD3EE85310D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.113{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6477-6125-7D00-01000000C801}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.109{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6477-6125-7D00-01000000C801}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.109{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6477-6125-7D00-01000000C801}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:23.092{B81B27B7-6477-6125-7D00-01000000C801}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:24.791{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:24.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3376F36D464FD94660842678484F059D,SHA256=9BB9521B509C1565DDBBB05C3E2028F77F65C9B77712C55B27E5EFC2244F0327,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:24.218{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B0CB1A55E492ECA49DE80C2034895A,SHA256=51A1DFE759FD489C659A8F750AC5C7D11DC225518D3DDD525C86D22F1BD6468D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:24.112{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=689817F1BC1892E41BB76BF74BA52A83,SHA256=B23C9EC771D0FB7360F385C26D5D4D1443DEBE743F1E3786FED963D5202FA81C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:24.046{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82864DA895E909E79ACF4D0A3E8861C4,SHA256=AAEA00A5516DAC74E4A9FFD7557E72C224768CCB0C724F919DA17709FF0A7741,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:25.543{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB88268924EB315C98C8A9FB5041649A,SHA256=214879B2833280A995A1D6D09CD422988472360CA2F69325E81CAC2C3B15D8BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:25.250{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B200BB52EB100CD9ACED3FE0E13D8D3C,SHA256=9745D49D0AE974D3EFB04B7B6CE0D852C5CB761D3A4F3D120BFB3696645ACF7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:25.093{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A82F832525634CA259456766AFB4B2CF,SHA256=903377157A30AF92630C8A51ED42B2C29B143571A3F310F3BE79ABDADDE4A0F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:26.558{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BCB35D83D47A51145B1A78D38CEBA30,SHA256=8EDB45D90E270DB64A93133EC1D0CB1BABC19360C2B8F387046E989DD7132D59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:26.281{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DB545CEE50A1738047A26D133DD855,SHA256=8063C7E8C28DFD8342F24A4165F165B94711347148E79084DCE949BAB0888D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:26.203{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4ACA5002E5B9BEAA21F4A397935F289,SHA256=9FE6D89423CF678AF439751B1FB340B532A313D71686D926552B4C88083BAAAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:27.588{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818D8FE521AF4AB0392BF8C6228DC46F,SHA256=A32C74127D8FF3821B3906A930A6DE2A46EAA984F38F85C10C37E3B94C514AAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:27.656{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA3D963649B5F249832432AC06107A42,SHA256=8AB712289D91BBC968A9CE976B253891D4DA9F1822EB3577BF74B5E76D985B6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:27.328{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D46BDB67A27F44F492345D9E31FA68,SHA256=6C6B5A76CB7DFC84BDCC09C02369B1071C9DCB1CFF31E6101475D68C70D7D2C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:32.020{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58886-false10.0.1.12-8000- 354300x800000000000000047956697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:22.940{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53812-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:28.605{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46A7F3CBF5F2D6E837E0958C02FADBE,SHA256=7E37DFBB95F9227FE6C6E0F1CC20E32A7F1F0BD2365EC9F09E823D1F230EB915,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:28.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=019DBB7D91347BC0EB0FEE5AB7E0F078,SHA256=FAFBA54E3CE9A0F75C6D14EB53D1826CC243D8A86FFB72ED27A9DDD54C616B8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:28.343{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA728697B3E0572474B3F1BC3FB97F3,SHA256=24D2AA49E2067F023701B67D0241C7872E30074D864C602414B54CC81F8873B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:29.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4C84A510D06F484B0026B69DB21E47,SHA256=CFE2D5DC41EE9CFC27ED03FC66215945F738775C925892965B1D20EBD2058711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:29.906{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC96D4E70A9AF49B3C7F23F15FDFE1CA,SHA256=F773C9A203741D143A5A3CA4DE925B896DE1C47014D3B7ADDA7AAF85EE807229,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:29.359{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D55D409A981E70C747F78D9B729AF7,SHA256=B6223A1AEA2EF9E95961754EBBB186CD85971F0C18F0B04E7393F5C616AEB856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:30.645{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89DFC8F7E6FC4C96681867BE85CD92C,SHA256=C1B969250E2FA81AB44282969538501023E5FF6D3CDB5AC4B80386A214F2202C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:30.359{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683722584BCC4F04DABD840204A07D33,SHA256=1CC47DB24F20700AF2B9DBEDF585D041F6B9652EE4D33A4CB1B2CBF44B6F5170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:31.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56BF98E56AFBC12FD7C00C23BE844BA,SHA256=CAB593342DE44BF4A389A8B845B10F6E237B44E125EA0CE4BB8EAE52CEE2661D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:31.375{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95C812E27E053B6B9716EEEAF336499,SHA256=DCC1105338DFCB8BC07E07E0C0F94249BC3E4457418BE734DDB86B3632D86810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:37.091{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58887-false10.0.1.12-8000- 23542300x800000000000000047956705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:31.140{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=460A9A085BF9F2956742952A415CFC7C,SHA256=6C832F934EDDE14FC3511110C66B598302EF777B779574C5CDECA6E0BA4F0F17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:32.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2D2A2CEC7FFBB681B92E33B3ED06DA,SHA256=56064DF76BF3FCACCC6BCC57A5BBBB2CEA335DABA01E501007F752FBC2397221,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:32.640{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BA017E19B2F1988754F8C4DD6C50A2,SHA256=B5B3DEBC9E9D56E971A480987BC8B55B6CE04B27585D290F8FBD2A3B4930681F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:32.390{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568A4ACB6A9A7446E7949D838E98C211,SHA256=395005FBD08AE81660D596601385EFF469B3A571501C9B78927C3914767B1398,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047956707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:28.065{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53813-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:33.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B006F78C01E07AD0FFE081A1BF24749,SHA256=4B456C20E6B1DEC58F907EF4393DA46E0BD6A160CEC5B46DC0896E8279934787,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:33.953{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237C5B608A50E397D2E3F3209A540849,SHA256=E9BE9C0D312DB7B520CD833AB15E60DB3E44DAD0170FAF06EA1BE38F1EB0C962,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:33.453{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4646E5E3AA637EF297D9F56C7866022,SHA256=123F60644CE0FEEA46872E0FE0D142DBB5EECA2713BF2A0D990A0D79C64115B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:34.741{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E860F014E8C38B72EE1FD8CECB7E85,SHA256=1D79E0D137BE230BCD4310CEC1A69B80D0A6BA7DDE37C99C1EC7686CFBB98D11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:34.468{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD4557459D12249C5BCAAE612AD1E31,SHA256=840810AF69CE2125B49E9DE29A78CAFBD3530871B3B02464295A34068D316A1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:35.772{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140E6A105144F65760CCA752AB7DF9C4,SHA256=794F98EEC30444CF0949C09E0DAD22F433CA77855D10493F04F1BC6A52749E7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:35.500{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD3CE217D0CB499B89C8F2C23FE6731,SHA256=81FFFBF07A239E8B03525087A38A5D90F100C2669FBDFE14C15A5DC00472C178,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:35.000{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8245F9BF7C0B0272B046F607C0A68163,SHA256=2AEBC6A3136462FB1BF1316D9CBD43672560004F2210BABB93AC3A09ED97FC75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:36.804{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC19CB1E95059012E3FE14B461B9F9EC,SHA256=84854D277BAA045825CAA5B0C80B3275ECD5B45EFC5946201D6C1B437EC4B53C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:36.503{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E35030CB059E16512DE91693F00E037,SHA256=F90471EC0611952DE2E6A4702CAE2E91499ADD0E281BC5CE9785232EDFFF499C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:36.253{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0253EC523BD75378C839B3CFE333D54,SHA256=0E8A5D56A7EB47D9A1827E260296CD342CFDAA3973C13BC6C04643A8A83682D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:37.808{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C06E296043A873513EEDE533BC1E02,SHA256=AD13B82E73ED7F11D7721318DF1271B844A39AD80E99E72EC2F1518EB785DC03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:37.737{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EF4F11BA64552CCBE9C7F1801097B60,SHA256=9CBA2BABD29331AE020196CF7D13F8991F055AEBE2D33603BBAB936C9C3A3D6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:37.518{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18763B51EA4479C5F69B4FB1DE29B3A,SHA256=B7D92711B80ADA65F32B6ED219DFC99ABE65B8F6E9BFB17240CB2B81BF67897C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:38.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1832B0FEBCE2D9C73BC233BF9D14BC,SHA256=9E72C3EDE98EA8288239EFECC345E986AE077AC23F3A12E6A67D130157383E06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:38.518{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD03E658F44654B6BD72EE6BC2F3962,SHA256=794B099C80F935293112EAB754AEC113AFFC4DEEC092D981FD9820C03B43709A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:43.085{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58888-false10.0.1.12-8000- 354300x800000000000000047956719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:34.006{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53814-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:39.837{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAFE4FF5B79ECE5C000A1E0F8217691,SHA256=CF66E5A49A0DDE6BA0FA0EA1E47007A918C82DE3A2E843D68AAFB2A98896DF13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:39.550{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26F745EA5566872E4D64F4B3DD7E055,SHA256=F0A3EF7A79DFBA176280E0C518B0F7295E4B6B8B5429816028E224FDB87646AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:39.065{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE4DF3D4950604C1B4F77C7F2EE7DC6D,SHA256=BC6BF61CF92347DAF371DA0FAC33B2F5BD9C82A2C6A8C46F69E3A3DFAEE8D055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:40.883{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59075F3CD7190FBA45330BBFFF6DC5AC,SHA256=6898AB42760EB8FD1402DAABBEB14414453106655F404EF52339CD4ABDFFB487,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:40.565{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0CA457DF3D7AAD8B442AFBED012BA2,SHA256=FFC29DB366BE3997EB5A78996F83882644B992DF313390E82BDE876336D1381A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:40.065{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8E3C2274779353062EDDCFC21C277AB,SHA256=69FC7E77DF179B0CE18D745634E84C3005B39C23D47148B3BCFE91DAEF9292DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:41.900{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92BD5BDBE30466BCFE94F7D7F9A2D99,SHA256=2231762D2F1F198997B3FAB4E1A5FCBEE28545418CFA0791CE0FCB24B71D70DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:41.581{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69414F3311C77BE5BBB8E7002C2C51C0,SHA256=E7C987C33819A7615A143181972199AF603CCE51D53A1D9C37835C2D5D0C05D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:41.362{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C5DC2DBF8333028CB88F6285B09B60,SHA256=CE79642DCE68EF46734836D2C9949E976D5FB48B89E0696D62FF925C1A01BC2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:42.903{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02EB3F9D15D063CD5D4541E01B173E0,SHA256=CC4633754CD73CE42505BA358BABB705BB0CDEAEE8380040B5696C251C0FD6D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:42.597{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B477B12A157EFC9F987A3E13823760C2,SHA256=EFF833B4AFBF9ACDD8C87A95E1AF9E29248169CD0E00706D1664D8051A786655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:43.935{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E9A5C9BD5CA5F43BFD506165E2B4DF,SHA256=8137CF8443B18413B041C56BC9D13AA5694516BAFB530EBCF71B8880A41CA2F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.753{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B149938D2A8CBA043931C5CA1E3530A,SHA256=1E36BB7A64B2E0A1BAE775CAB4FC6B75BE7C14B3F6A1CE62007F0C3C82DAC741,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.644{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047956784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.644{3BF36828-648B-6125-68F4-00000000CA01}46724108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.644{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.644{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000030725774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:49.064{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58889-false10.0.1.12-8000- 734700x800000000000000047956781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.487{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.487{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.487{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.487{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047956746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047956743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047956741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.472{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.456{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.457{3BF36828-648B-6125-68F4-00000000CA01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047956729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:39.866{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53815-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047956728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:43.065{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E90D291596DEB1A2BE42BF11E1D7A716,SHA256=00A4BC44F9AC82BDA4F5F7588E6484E89F260C91302156D61E459611C06A90B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:44.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73939B92A18AD50C3A75B1198BBA2267,SHA256=C7E29E115F9C450E4B71D2E9D2EE238AD22960F899BE3C453001D710E583F609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047956903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.862{3BF36828-648C-6125-6AF4-00000000CA01}33005828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.862{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.862{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047956900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.722{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047956891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047956876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.706{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047956864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047956861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047956858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.690{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.682{3BF36828-648C-6125-6AF4-00000000CA01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.681{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF5A7779D28BABFC1CA39D5F43474D5,SHA256=E3EA0DCE13304AD66111E2827AC4E31996115072EF25A3B9C4DB83E7936B5899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.612{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF76854389863D8F1657CF9C33DF8366,SHA256=1D76AA257AA2B4DD0FB18453DD12CCC633685440CD2296E7EFC93C3B1F5F9614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.550{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD34B895767D4181954A94EE4C761F20,SHA256=46E00BA6147A017B72D1849F89DED2C0554B3057BB60DD7D9CBB568533EF9395,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.440{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C266A128DFFC1B56E070A3D71ED141E,SHA256=57F9CCF5FE2234B2FFC832F4695DA8865B067834DA23B6FA04E7FE702F868550,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.440{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDE264230C5FBDA3BCA63B4F643408C,SHA256=3B86A5E25BAABF908E5707444B78B4E4404E8B72C946BA58ACB76C47BA14B521,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.315{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047956841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.315{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.315{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047956839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.175{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.175{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.175{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.175{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.175{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.175{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.175{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.175{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047956805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047956803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047956800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047956795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.159{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.144{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.144{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.144{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:44.144{3BF36828-648C-6125-69F4-00000000CA01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:45.955{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A18F6A98829C11FEE6D4CC603971C1,SHA256=D72AFFC252BC9F963EB83A195564458AD4D6E269BC1EA349B64C297D49C8110E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.862{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=919919ECED8CDA63F353C5F398CBDD32,SHA256=066DD2DD80161BB399DBB68905B2786493F4F817CF6ACE73E79F7A053F97FE2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.847{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.847{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.847{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.847{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.847{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.847{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.847{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047957008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047956990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047956986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047956983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047956981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.833{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.815{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.809{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.800{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BAA7C2A4AC3E00FA2E2F1E209D5E3C6,SHA256=776D6467FF61EF01D2D5F015EB25E80CC9F866A65619CB3C4E99274B51D6E4E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.706{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8012D12A4DAC82E8C19E8C2F51D29DA,SHA256=DB614EDEDC42D8CEA76C1E7EC714B3EFB102417EE2B9FDC8BD4F0D4BA335E43B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.690{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5517184C2D5D977C5CC1A052BFF75832,SHA256=1C324EE36B68520DCD5E3AD0115704A41D54C0BE05FA74DA97865914B148BF64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.643{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62CC835B3B09EF416DB2FF330F3F31B6,SHA256=48FF5F74C2DB6C6D4BD8A4686762C2E998905A637F12EBD6945E4BB24DC38943,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.581{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6F56286731642B956046273050B32F,SHA256=BAC79DC27155E56AE16BC18AF9BD846BED8354C1D883CCE3F5A59B80090C2E9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.487{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5DFE938930197F10BD9BDE360B3ECC,SHA256=D10D88320538BB20319A4F77CBFB50E4A1276F155E290FCB6A712414BF8A3262,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.456{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047956962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.456{3BF36828-648D-6125-6BF4-00000000CA01}5121480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.456{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047956960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.456{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047956959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.456{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98685288437F11526342514558F5B6AD,SHA256=FF2DAA2084C7860345D03CBA1C0F2D05A51D3B06E9E96DD793FBF07A2539BFC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.393{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DCFCAF804CAC7FC0934605A7EAD9F50,SHA256=FAC4838436262D1DE263BA31AB733FB823771EDCD50FEE6220973A7FEDFDD4FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047956957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.331{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C26D7435F915A9CEBD1C07F9A4DACE8,SHA256=8E15D861A72F6CD22EB0C80C045C232284FBDCD59144CBDCF1350E4B7A0532C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047956956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.315{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047956955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.315{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047956954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.315{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047956953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.315{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047956952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.315{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047956951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.315{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047956950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.315{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047956949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.315{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047956948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047956947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047956946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047956945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047956944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047956943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047956942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047956941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047956940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047956939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047956938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047956937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047956936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047956935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047956934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047956933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047956932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047956931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047956930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047956929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047956928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047956927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047956926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047956925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047956924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047956923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047956922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047956921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047956919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047956918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047956913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047956911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047956910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047956906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.300{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047956905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.289{3BF36828-648D-6125-6BF4-00000000CA01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047956904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.284{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C7909D3DF92607D48179D0F64F994C,SHA256=553B577EBCFC67786A96278B319ECC91BA673F3343C224B53A97EA71D1CB4F4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:46.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72394CB8FF9F59DF9574E8B2F2FD60BB,SHA256=67E00915E0ADC527241C247B0537EFCF57BC400C672FA1B0A28E1EFF26416661,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.909{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEB1B1CDE4C84B43901EA80935484FC,SHA256=550555B5E6B9B5BB63003FD1792A9425FFE6B783A3C9915EB9E43F547CE6BF36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.519{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047957092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.519{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.519{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047957090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.519{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8D867F7AA3DFF947D3BC0E8B8589B6A,SHA256=23E825D8612009A42DB100CEA2DC0A489BEBD3E94471CC0BA323CD3053E5F561,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.456{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=049050BD0DF223DECC227745FA5BF279,SHA256=24D1A17D8EA1EF4045E9FC4E2C5A431CD6AEF717780092E003FEDD082A49AE78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.393{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA63ECB271EA6DF6BEA0920F423B2E5,SHA256=335FE993E663F81328B8CE576DD0F58F57393FA8FD75523170B7CA37C334DA39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047957078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.362{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047957056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047957054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047957053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047957052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047957050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047957047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047957044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047957037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047957035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.347{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.339{3BF36828-648E-6125-6DF4-00000000CA01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.331{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECFF799338FA01AF9683FA12CE9EC2C7,SHA256=1CAA240F515380C4D478ECC56912E2039DD29B569F8BF27A060378C310888B6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.237{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396FE63684667B74340ADF56CA242F3D,SHA256=C04D7B5D57355A9F28A6A74D0050F273C543506F720BD0043E10C68004E6D238,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.175{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1A4F4B9A668F9E4FF119A5405FB3D8B,SHA256=7C11CF4770328C99477208B17BF3A0258FE41323DB073E33BCD10FB4D33640A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.112{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AEF369934B5341B92EFCDCE7A8B0EE,SHA256=C98B97BC018BC168CE6F14B7B54F874E89DAF67A1F271D59E1DB01166E27442D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.003{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047957025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.003{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:46.003{3BF36828-648D-6125-6CF4-00000000CA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047957156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.925{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF9235F362F3CF7A1BE22CD27F4595C,SHA256=1420E05DEE2F629AE10360A3D422F57B7AC9515B40F1EE019193045BB790D55A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.487{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F0788C337AFCD365533AB29EA7A632C,SHA256=386FA6C83397F2FB9577FC16588B2A3479952AC0491E2E08B3E4AEFB40D9780A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.409{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F35EF87FE24BA4DBE0F412C5C8BF285,SHA256=46659331837850657B186F605737284FA35ADB559F86278A51716D65054CC57F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.315{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762264E8B2AF9A4308CA19FC0759E0F1,SHA256=41CB352FDC488F4835E56212ED096E179E37B27A70FB929DF03FED9E9B82EB68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.206{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=633A628D9215710AFBB08A683AF012E9,SHA256=E4AB0F9CAF17B9AB23E760B40C658CC9D5DE62A08BEF1A8D798E9F02109F0F37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.190{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047957150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.190{3BF36828-648F-6125-6EF4-00000000CA01}6884536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.175{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.175{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047957147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.050{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.050{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.050{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.050{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047957112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047957111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047957107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047957104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.034{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:47.019{3BF36828-648F-6125-6EF4-00000000CA01}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:48.956{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC8337888CF3DEE85C240D130142F53,SHA256=7F8B8332FFDC78FF9C1BF5C34F5A7F0868E7EAD85DD7F92588F6A106EF43B5D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:48.022{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189E219016C1CF2ED580AE754C03F8FE,SHA256=53538563239069DCBC603573E9E414B7F0D32EC0C9ADEEB14E353AEBCC1F419D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:45.022{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53816-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:48.472{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1CF656A1BC13C0A6E93FBC2A9C82F00,SHA256=9FAC2258FD52CD84F1F134FB49E6A021B46463E3DBBA3FDFDCE6901B7B24C874,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:49.987{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E01CDC0F46339DD6551161213F422C0,SHA256=7548C8ABDA5484F33A7C1DF66A5F111353ABC5E170B99C7D46FC3BDAAB14B727,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:55.030{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58890-false10.0.1.12-8000- 23542300x800000000000000030725780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:49.038{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41715598DB98AEB20913077D34342F8D,SHA256=B9A1813320BCD896B67A326C211335C8DDCED6AD8BBCB6B1EEA032E3EC6EE6A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:49.722{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D00CE2B43EC3DDDD235C4FE5D87805D,SHA256=2B332ED09FD82842A629FEEECF0844DC4C09B4915D0108BBC372FE1871553109,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:50.077{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9EC13262ED39478F42F7FB4DDAEB6E,SHA256=DDC726CF1221B9604BC7BA6A8346DFF0BB7C6733153AA4AD196A56E9ADA9D6DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:51.222{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962964D573C0C78A6A63C01C03D4ECBF,SHA256=08A47CB2C372E233EA4A89076BC0ACE03508EB90871F94ED418782C8FBE11C9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:51.222{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D60ABDA850D53D321C8E234025FB3416,SHA256=346E6E61DC93B729B61B0BD20C605E59F31721A022A09876B74E672078EFCE1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:51.092{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCCB74EC24497E77D6D6B27AC83D344,SHA256=B75284AB847D43B39E41E1594487CB90AB56F022177EBD3CB5BBFFD371C87801,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:52.362{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=356AE06A85AC33DEC3B24D9DD7E9463F,SHA256=49FC96A195209CE5D53835A2376DC404E70628FE4C6A61ADABE333356970985A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:52.237{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1039F30579D73DE7946DC556CF5BB8FB,SHA256=BA99FD86AB2B2301965685D04B13A3B312DDCB8AEBC95368728225CAED5CC7C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:52.144{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C141284714FD6D9895BEB515D922546,SHA256=3B1A8B2C4EB8FD36113261B67FFC306605ECE289399FC824864065D4FBBA4315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:50.053{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53817-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:53.409{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1311507B5299930243742F595CECEF6A,SHA256=5B75374005826DD45C4E1304A760A46BC10500942D0B2ED64227ABF206A85A17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:53.253{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D29EBA2C84D0E058FA52140266AF84,SHA256=F03C5293ED2CE8506A5C187170445F07D84AD48C406BD3E7C1A95E199B775547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:53.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2AD2566607B89C2E62E42B862E2534,SHA256=F497A2C79397D9BF342B47A08013F99D61DB47F63ACC8C3ECB85E1BE257B1751,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:54.519{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B3BF7ABBA14E81C5E2CC3BB1892C4A,SHA256=8DBE852DA5C6DBFE052A2EBD2F1EE3105BB0959A93F65DC84CA3E4978DD419BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:54.284{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D578FB7CDA92E41C8B8D3D3B03D16C6,SHA256=F9BA07E2F90B2F9CECAFCF4BC6A1FCB3B347A8D17506B3708625180614D6830E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:54.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BA1B946B2963FF86DE01C4B1518096,SHA256=B96C8EF6E7D59BCE4AD26322C6ABF8B37FEFEA3368698597AC178755B857FF34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:00.073{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58891-false10.0.1.12-8000- 23542300x800000000000000030725787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:55.241{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C3EF6B01C082BCF7DA72CDEA9CEE0C,SHA256=236C04804724CB9FDD1E2193C56409E7341D7FB161C6E6B174E77446C0D0F74E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:55.675{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D965E359004FC2A3E8E827D599815EC,SHA256=1E9002E355F13DA644556F8A8B2911348BDC6AEF5771DFB7D7A85D16FDA87713,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:55.300{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F49D472684D514342A7C151D3DAAD1,SHA256=3BD9047AF915200F523B9FB8C8A6B04B61F9430A636881FA96ECD5080788DAFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:56.271{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D129098FEC9259E89A5514EBD9AAB3,SHA256=45C0A42D074EF963866DBC3A827F2933FE9090450CBED1852C2B0451E6AD88FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:56.785{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=947E82B303B7B15955DBB38458EEA621,SHA256=9A02FB27E2F1975448E63DCE411C5A143626B6847924DE023FE567D6479781B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:56.331{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A583817023E3C13C4911B14CDA4124FB,SHA256=534CBAEC928B57E33AFC493654205C772BC923B9000BDE9D6BFE7D9B7F5B04B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:57.304{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D11F674D4A31A81955AA1B30DA419B,SHA256=9AE54A40C27945D2CEBE5840F15E946B239CC2D13E67BEDE0511A480B4A6421F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:57.347{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCFBF67F81BEB11D0A0E7BB1623D235,SHA256=029B5BBFA329F2C645487BCE01375EA158F25DE95858CA7150B15988E9375141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:58.339{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFC641DE2E7053BBF412A57FF3B5B8D,SHA256=F7B7710ED01A6C8BC9F7E4D03C6D61E40A4BE677F1F5BC5AFD79BA09A0B7B50B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:58.425{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5301600A7169B9ED772B0E412B35703,SHA256=9C530CC1890F88AF24CC302DFD90A579D9E514E9E666452EADE73A76F0B8C85F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:58.253{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BADF589715E0DB100FB4B14218EF6A8,SHA256=8F1C964B94346D7BEB78E8A37D9D43020178EB753058397F91AE7D1C969A4CD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:28:59.353{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B413ADBF838726DF84786CA8617638,SHA256=48D3722784A75081069D445EB48BE943AB913A8776D532E9E41461B161C6D8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:55.913{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53818-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:59.566{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B113D367F97614BA9CC47920005CC1D4,SHA256=65510C592261A18312DF96C31935F09C257CB0FA2855BB16C6E7061534360A53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:28:59.441{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135FDF6BCCBD36C791EF922AE81FB9B7,SHA256=2E3533BF439B226E81A1D754052B9D861EC6555B77647F44CA743440C332F779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:00.691{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0DCE1B5F8D492128BAA062B7A295F6,SHA256=D34434D406D6779B4525069C64D5013E106142DEA5968F79CEB42310D3A5C474,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:00.456{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B786D01E0441DC535C161F6E43FD58B8,SHA256=04F6D467BC2B3D213E5303D4D24936B0A8B4789C61CDF5FE39F0DF7F072A5B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:00.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4791A9F296541BA64B16861DB596F40,SHA256=30F7C41037F4EA4DC0164C662C9F24DCEB510CB618B55B506CF6D851A8E28CEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:00.168{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8F24A57DD12385CAA1EC7745168234F6,SHA256=F3D7B28B5775A8204E10F57FDA6D7B3FC4AF472E7D257558011956471A75A768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:01.801{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=321EB96E53A252C3C102CF82257A5611,SHA256=CED7492ED63FBE4E97402A6937353CFCFFFEED6A7DF7C815818A1A4CF6E7912B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:01.458{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FAC04AB07B08D6D2D5A57F09969B0F,SHA256=1983D084F6DEAD92FAD9EBF1C73792A236489EEDA7081A6A13DF23D50F1B81E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:01.420{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC98BB78D96A87F90DC097EF24893F63,SHA256=FD8948C800A9AF9FA280AEF741A2F4736A0C4A17F113BE87A3FCFDBD6DF6B402,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:05.159{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58892-false10.0.1.12-8000- 23542300x800000000000000030725797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:02.450{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60D8269A34FB48C473ECDE53ADC13BA,SHA256=333AD6CEE9AB8F32DC6157D99D1E7B59B7D0CC5C944F30FB433552801805B33F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:02.487{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7224BB7DEDE5278AB161E58C13ECC6,SHA256=2E4A90EDCA5B413B8C67BE4D159799DAB39E880E4632DF289025A2A54F6F1BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.880{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-649F-6125-7E00-01000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.865{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-649F-6125-7E00-01000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.865{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-649F-6125-7E00-01000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.865{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.850{B81B27B7-649F-6125-7E00-01000000C801}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:03.465{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786CB7966348A789432437ACD5A70CD7,SHA256=57413C665C6930C6E2F396E0E6A4125A9D93AFD44832680456C77D6332F3B8E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:03.506{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5A982109A9AF03B1223CB7F7AAC071,SHA256=BDD8C2E940D8BEE3A50A54E05E4DBC9E0735BFA16CC3798B33B83A5082490F35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:03.006{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6DBB69086F4E54FB6F1CF593ED14D2D,SHA256=77BB28199D74AC4E42F02FEAAE93F7A7D27FF09ABB7DF2FDF1CAB2C4452832A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:01.025{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53819-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:04.537{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797221E89AE199108602D0E5C9C7448A,SHA256=6272B3749A0C594A06598B35736D47A7010874615D241B0A909B0A6D5C62CC32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.564{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64A0-6125-7F00-01000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.564{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.564{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.564{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.564{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.564{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-64A0-6125-7F00-01000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.549{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64A0-6125-7F00-01000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.549{B81B27B7-64A0-6125-7F00-01000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.480{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC6AC052C610CDA90CC549B9B9CE336,SHA256=2EF2528DFDC30BCF6BC30B338DBEF00DE001EE23A48473ED16651F9637759B66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:04.118{B81B27B7-649F-6125-7E00-01000000C801}5045388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047957188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:04.241{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A687C9DC43B1AD67826147F6F1BC44BB,SHA256=950FF004F084BCA0EE32199ED560F7FAEDCA076020C9D6C0154971D3A6BB7E07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:05.678{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF61D29A3785BD4BE7375BED854745C6,SHA256=56EB990EB028693311B7B42B6A67998286F9F1FDE64FFFEFEB854E958A3D64AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:05.553{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FF0BD154A0C52B44B7F1DCC34841BF,SHA256=3C1A68813E98E526B2155195188794DBD84CBE0691471824860E16F25862E389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:05.548{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763A10144A11A5E6B8C555041698635F,SHA256=CF1AB655D51006A0E661FE88B49A6AA346A25FD76F7662C5E17C56537BC3FD6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:05.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B18294196080EAE19F195DD1A9F28B44,SHA256=56788BC7C34C3F8916D976334F4FD3996C7A94B6F25E88212A4C8B249E45B8B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:05.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EB9796D7B39B369FA2D2193502D974B,SHA256=29BB5C56194B742AECAB7B6E1DCA14717C27F7AC79BE71EAB420E0F1C071DBB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:06.881{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38E6D9801CAD3A93B3E1FF150D4F559D,SHA256=5F611C3EE729A81E2BC05AE08897137578FAD10FC7A21631BE9BA6782BA02D39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:06.584{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6762CCA8924E02F38FEF417641772A,SHA256=A88D29E34A6F6B244EAB55F15DAA38915E72160CF216DFC09223DF04AC9FC4A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:06.564{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA49AEE630A1F3DEE04969D0CCE6D49,SHA256=FC5DA93AE533AD14FA7B0FA6487371A8F3F43849693D31D67C31FC9281433F4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:01.853{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53820-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047957193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:01.853{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53820-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000030725820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:11.026{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58893-false10.0.1.12-8000- 23542300x800000000000000030725822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:07.596{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36794374B9AED859030E2651CE9ECFA4,SHA256=B25D43A5EE9A0BA3067C4E161D10074E7B397B26E3048B09A34A66CDFBAC39C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:07.600{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7175B5324C11A5F740B88E5CD691E17,SHA256=D268F95BE350D0666B4DABFBF41E29822C9D959EC76F12E7D66308F835F5FBE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:08.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB609EDD7952F2DB13E95E3596228B5,SHA256=EBA7D40BCCC5D9FCFE438DC27C383CE808F3907986CF55C0EB556ADE4EEA8CE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:08.616{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6744B3E9B62A889F21D415A2AFFEA218,SHA256=88C9328FB0381F2EFFDC27C88D1D29F72C54BFC2B16C4EE6FB97F7571BB4382C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000047957208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047957207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fcec706) 13241300x800000000000000047957206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79926-0xb0966d75) 13241300x800000000000000047957205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992f-0x125ad575) 13241300x800000000000000047957204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79937-0x741f3d75) 13241300x800000000000000047957203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047957202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fcec706) 13241300x800000000000000047957201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79926-0xb0966d75) 13241300x800000000000000047957200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992f-0x125ad575) 13241300x800000000000000047957199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:29:08.506{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79937-0x741f3d75) 23542300x800000000000000047957198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:08.194{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBBDC73F7D999567ECF4DAD07C9515F8,SHA256=5420BA2B4BBF5287DE84D8226BCAE7BF98E55332DF07072BEF28B81505EEE39D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:09.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049EB2A52C034433FAD379FC62095DEB,SHA256=61FA25A69B17F9F94BD8B71FBF315FCBCB594350066C94C0F13AD02C08E0161E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:09.616{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26871F2944D1A363BA7DB33A4E0D625,SHA256=FC66726E67BA5C2D0083C303F7AE9F76B38F289359EB220BC2B5B4EB7F643B21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:09.241{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52F4D4A3FCF8711635DCC72C6ECB6BFB,SHA256=B198D5B4CCCA90C9C7C0F9A365D98EF35A360C21C72EC6B4B450B841EC266D17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:10.693{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AB26BEB0E9A24CE0EED4418EB770BB,SHA256=29A0D9A4F6B5801000D06965A99CD953198CFA0206664DD773C5E3E270A8D8BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:10.631{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E3B4B5A883F2228F990F862527ED15,SHA256=0C2D10A69816B8102B4B6A01FB649469616A4B0543F293AEFC46D00D9132BAB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:10.506{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=900C3772E92204FD532B9D5E41988393,SHA256=FE30AA6A3538018D33FFC97F43751D513E0D67FA67478B60928DC911EDBC12BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:11.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D85D15DFACD5E588E08C30B77192216,SHA256=B6BBDE467ED3A5856B28011026420D2008E758DC472EF863BA315EFB56858879,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:11.694{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=841716F30CD0BB6D43F535DDE78493D2,SHA256=18D15DD7D8A98283F1BD0AEC9A6CC8E17A07BEFF52EA52BD7D00CFBA881722A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:11.647{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C8411D7B3A2F54A07A90D7AE6198AC,SHA256=A30ED31D47ED11586760F89E3EB18E51746A53D1C6BD2A0A4E01C77D3F55CC5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:11.647{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:16.108{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58894-false10.0.1.12-8000- 354300x800000000000000047957214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:06.916{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53821-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:12.790{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC406884BAF5186618DD28027856CC63,SHA256=585E5BCF6E3B3051E2AA49F4C5937ABB4EBFA7ABCB35D72C749BFB157918D338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:12.834{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F747FCA340FCBCC7B3B60715B00103B1,SHA256=A34B36F8C169BB9D5B85E5D36C47683230212E6ECBA37A3E7F72AF79D7D33897,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:12.647{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9F3B4A6FE519408A2E39B2F0E8489F,SHA256=71FBEAA55597EF8F18C5580F28BA6DA590A3AEB384BC2FA40865DB500C875686,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.856{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD4F2B285ACA1C87245AA9E17E6EE50,SHA256=54A1724121EA4FFA4518E755356BF968D82FF3A613CF3A28D1C3A52233DF1E3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:13.662{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AD5C61892F01825C1BB28DCC367457,SHA256=35085524AD6784A43E149FD9D1F8A13A53A7F1927DAEE7D8816B43F233C40F05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.325{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64A9-6125-8000-01000000C801}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.325{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.325{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.325{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.325{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.325{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-64A9-6125-8000-01000000C801}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.325{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64A9-6125-8000-01000000C801}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:13.310{B81B27B7-64A9-6125-8000-01000000C801}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047957220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:09.478{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53822-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000030725849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A803C0CF9306F170B5CD01A58DC7246,SHA256=CE87D8BB6FAC5CAE57F10FCC678D34D5D69A8ED9CED0B9E7C1FCEF37F5B98CC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:14.663{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB003B89B8E8E7C2FCEE2114E2B798E,SHA256=38AFD3061EE8072627955262F19A8963C1873095F2AE7D34DD6DB2BFA6B0385A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.390{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F493B9E54DE409CC5101E6CE04ED484,SHA256=0A270636DFFF0B675803F0FA4B2F88718514DF03095B67F55FA847E75DD562C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.389{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B18294196080EAE19F195DD1A9F28B44,SHA256=56788BC7C34C3F8916D976334F4FD3996C7A94B6F25E88212A4C8B249E45B8B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.171{B81B27B7-64AA-6125-8100-01000000C801}50724924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.024{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64AA-6125-8100-01000000C801}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.024{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.024{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.024{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.024{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.024{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-64AA-6125-8100-01000000C801}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.024{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64AA-6125-8100-01000000C801}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:14.009{B81B27B7-64AA-6125-8100-01000000C801}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:14.303{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=861ABE7BFABD4A263390B5603B7688E6,SHA256=DADEAD69DFBB96AF995C9806A64239536807DA6DDAA06403539A9B87D5FC7336,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:15.888{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39239D4166E982483C718804DD330EA,SHA256=33D64792AFE7F56F10957CB28613FB83C294BCB814A622A86307F4AC2D04B2BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:15.687{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB404576AEFB53801E2BEB6FD1FAC85,SHA256=3024CD097BEB14B45F52FDC0B6543B6A2D653B0DF76F55F61F3B6E11A714A67B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:15.553{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C52CBFD70D0AE1D1CDD844A71AB00A4,SHA256=CCC423B1DCF09F368C4854797FAA4C951DC4E11E1499A68701BD3FAF2982CD20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:16.906{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B49D01E2A0B82EED69E95751310D759,SHA256=418D76BEB8732B6EAD5E7D56880C2A41A1A38FF532CAF4E93F3BA65A76CCFC97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:16.906{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A387223FDD41EE92F0F3238B48E9FD3,SHA256=5BBA75B2E7EFB37DB723CD15A04D9D218DD9D4FA6B41486D17D10ECCC321F3A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:16.906{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245B3F02B4D11598B3610002982DB541,SHA256=2D3BF4F298CA8DD13D8928B2FF6A091138B67AD080EF7B289A306FFB6C231817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:22.005{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58895-false10.0.1.12-8000- 23542300x800000000000000030725853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:17.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D900D25F3EEAB81D389A2239B3A0359,SHA256=B77CB3EEAA42B7F4B00F26B55E6641BF7795A3DB9A3E705ABDBF62D6E6373B7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:17.937{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7EE4DB3A8709D00581D358EFFCFF0E9,SHA256=381CB40FDBA64A4819B566DE3C1C8C683F02B53AAC90CD341694571C597DFED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:12.885{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53823-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030725854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:18.970{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A162FBA72D1CD877E9392C15F2A98B,SHA256=CA064B6433E0A7DB00C5D3E80909CFC53E4A4B46FA8E3C07B75D27D7D8ADEFEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:18.046{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8875A0714C3F212FAD02BA33A6B8AED8,SHA256=E73722A5490F2C4971D7D919129FC8A6230667C7CCAA966A53B91B0070C34B6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:19.988{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2467379E9AE4BED30D9CE47B920AC8E0,SHA256=6C3363191D0E3ECB90152195CC77B1D310159AA29B8C887AEE2F20FF010A5E8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:19.078{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D646B04B8A0568A9CD8592D0FBD3807,SHA256=FAAA9A64DFF20FC36706CDFAE3599FE277D1996E270A4B0B60AE04B2B81C084F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:19.046{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24318045D08BDA4812C9F1AE50F5880D,SHA256=AA768289CC6F999BC7EE22D64BE85A617FF92307A8AC934461088B4A7D07F1C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:19.453{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:19.453{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A0CB8694A167DD4E41BB0CB7B47D54D2,SHA256=7EA6294F790B3BF303137FA68A2EC57F560010AD42DF2ABC1FFC9ED1D7AC97A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:19.290{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EE08B40D35885CF90A17D0C35F9C95,SHA256=23EA3A6C8AFC44C343F90E2401F4F015DA3E1AA4A3F87C69ED4698827032645F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:20.453{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B5625F001D4AF3132FD965927117149,SHA256=E755E936A92397EA8806FC503EF4D20D1242D250710C04DA509A692AD113E2AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:20.218{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F121ABD4FCAF3CA63BF232597B94E62A,SHA256=D0FB8152A7ADE239A2D9DF81E2F6FAEA8A3483A6B80C17303D1E2569833788D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:20.078{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10489B973ACAB29B76E9C6EB60AD7B86,SHA256=27BD6D3BB0609B8231F1343B806413BF29724692554879374A2E4A6543D1B7FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.942{B81B27B7-64B0-6125-8300-01000000C801}9446836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.736{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64B0-6125-8300-01000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.736{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-64B0-6125-8300-01000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.736{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64B0-6125-8300-01000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.721{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.721{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.721{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.721{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.706{B81B27B7-64B0-6125-8300-01000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030725867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.187{B81B27B7-64B0-6125-8200-01000000C801}10205592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.021{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64B0-6125-8200-01000000C801}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.021{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.021{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.021{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.021{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.021{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-64B0-6125-8200-01000000C801}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.021{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64B0-6125-8200-01000000C801}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:20.007{B81B27B7-64B0-6125-8200-01000000C801}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047957238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:18.081{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53824-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:21.250{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDA28843777FBCAD58FF0646BC0971B,SHA256=093E0BC567732A5D8F0D98607500AFC0698F670F5C15C1AEA221AA44B4342842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:21.093{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB30C2344B5362A0A80CD190322EFF9,SHA256=5A149CFA3A6A89300F64671BCBF25A6459B8FF0050D4D44355A6D209AC226D1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:26.200{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58896-false10.0.1.12-8089- 23542300x800000000000000030725879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:21.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EFCBA9DE75F35152AA2C7101B29443B,SHA256=1CEF0A05B2C432A7A14B91997AB3F58B9B76D212B9C18AEC333BAD09A1948CF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:21.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F493B9E54DE409CC5101E6CE04ED484,SHA256=0A270636DFFF0B675803F0FA4B2F88718514DF03095B67F55FA847E75DD562C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:22.531{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E5E31577806FC01FDCD36C8FFCD3866,SHA256=F8EE9B1D561CC323400AF549DB037E5A72F4C61EED1F67A75B8487033789B2EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:22.109{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114F912186DB12BF5197764D61853B07,SHA256=E93983AA0D12CE0492F6B1D4D2A89E95B2B65936BB66E62C317FF1FC6610ABCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:28.008{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58897-false10.0.1.12-8000- 23542300x800000000000000030725881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:22.014{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B4058781F39CC5BFD8DA0F239F97CB,SHA256=622978CB143942CB97C9A2603CC642DE602277DB38EEC53C5E20FB6617EB4C7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.113{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64B3-6125-8400-01000000C801}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.098{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.098{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.098{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.098{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.098{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-64B3-6125-8400-01000000C801}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.098{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64B3-6125-8400-01000000C801}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.094{B81B27B7-64B3-6125-8400-01000000C801}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:23.029{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F370D1DFBADB946A842A6A6A824DAF1,SHA256=9FBF645AD87AC2BD2E94C1144EE31E81284C293E7D1C8792F0B23247948F2271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:23.843{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ACC70D8CD00287085448FC4B797B4FF,SHA256=27698E94B89B59EF097F92CE8ACB0672C160ABDD5F895D4B6EACDCDAD21813AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:23.171{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018371E240790430D130D7209FEDF564,SHA256=0827D0767B2003D971B7B12A09524794137C86C9994C0288A8D164E0493B7F28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:24.128{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EFCBA9DE75F35152AA2C7101B29443B,SHA256=1CEF0A05B2C432A7A14B91997AB3F58B9B76D212B9C18AEC333BAD09A1948CF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:24.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98F1AD73CB32E052C23BFE53ACFF7DF,SHA256=184D995F24D194FE308C5ACD225852B83AB55AAE30174B547A28EC9292C21D56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:24.984{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46BF4CEBE2D1556FE8AFB541A848140F,SHA256=55D2D9583BE1BC0605D8242D74AA25CB969C19202BD96A3BD1CBDEDD5A3C89D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:24.187{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28165C6A269EBDF35247A85F3E8DB8F,SHA256=E6E35E3683CD7D8860E7E3273F18A555C2861AD90500B4C34DE79DDCB1565662,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:25.203{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B0EEC506663CD4CED1718D51F9D057,SHA256=6AED4A33D59AA119C5A93D12A3B87ECC66C9338582337490D00BEFBCA6D7BB37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:25.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87469D24B98DB16BFFA04A53C6BD35E,SHA256=C9A9D8C1327B04C2C4D90209F577E535508FA7C594E9EDD0A8BE750588C0718D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:26.390{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=931D6B46B2C640EF4A255E10E7995F1A,SHA256=F71695F7E8A0ACE120ABE940E63D6C7FF11220319D5FF1C13BF29083884AE01D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:26.250{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F052004617A183CF661319A7A9A0A1,SHA256=462527E36891CCFFA541F6BD83592B574E317688393E6D122C7D1DAAFA74C538,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:26.091{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC8CDA399D3C0C4C8AABEB2E6BD6C6B,SHA256=9319231AE7C9F07DBEB5DF981C867318D95F4957418454C179F1D051A38827E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:23.956{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53825-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:27.515{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64FE97AB6D24AB7371F80ABB7CACEE4,SHA256=363D2872607C6DB0C33B070ADF37EBCA8502285A7A9F7CE771778759B8B906BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:27.265{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299299A19104E963BB0394D66945E60B,SHA256=3BBD48674755958CA7B889F5E546A4BF83221DAC848874FECF65B0582D5510C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:33.073{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58898-false10.0.1.12-8000- 23542300x800000000000000030725896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:27.110{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA3EC565DAD814AB14E6B7F45990FB3,SHA256=4008FAA529249FB678073B823C72558BAFB96084020E8CC3B3FBCFB9095F5830,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:28.718{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D3E144FE5E23C6CD9239A9DDD98446D,SHA256=E9F84B4A5176B69A225228E2BAB4BB9BF53C6DC4F335F5805663BC6D34D46AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:28.265{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D61625EA4D86AC84EF611799D192940,SHA256=CDB7074871DA01DCAA8A0EBD053723A4EDB2BB87A4A05797E7FBA593756CB2D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:28.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5093A7204B96D562A292D0B7CBAE9E,SHA256=4DEA499074FD88B24BE82C1E563AD8C73BED8A84C528AFA20BC069281FE141DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:29.139{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B018F4B68846D723C7780003CB0053,SHA256=B3363FE73B2CF587A873B6E1AFF85F458A287A64EDC559BCF8E26F295EFE156B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:29.797{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33CA184EC7455C93EC339FAFA3AF3BE8,SHA256=DFCA1A14B1C4E3BE9E2FAB57FCB9CA47817FF8A4E16139C683FC450F5459DEE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:29.328{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E64F1D733CFE418F2E8B12A618353B,SHA256=37AED22F4EBA06087FE5C744F73862CF858CFF5E2D22920EC9E337340C4D0A37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:30.171{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E684AE13F7D651D3A9756042ACBE1C8A,SHA256=0A44F2C41F70334B7FEC0F3C1DBA2C3BE8DE2AD4AD62BC2D7CE531962C1AED66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:30.343{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDABAE2F3D0C90E856C08F5427C37749,SHA256=9C7C372089C6A87A869578F528749A82CF9F800B3C1210E3257C5CF6EFC95C39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:31.187{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A336DB5837E129239CA2077D485B53C,SHA256=9363E752BEFD501622E4A0003D63D7DEC241E297CE66CD9B1AC663D6C0278F31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:31.343{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A946565000754431EA99B7FF018EC30,SHA256=70D2A508A2480AF253B2271A03AA6F601A32E798E397F4A29DD1C79A06DFA102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:31.047{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EDA2A740B767312D76B0F53B757C808,SHA256=C44BE4DE0ABE2E553FB8B810B12B4C19AA13AC60CE481B83046896389D204831,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:29.050{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53826-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:32.390{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3698691A7F1C83FD8CF4E07280DBB1C,SHA256=4EA2B74F5F900B09F7AD7491F90F4D77B0B8C01D574DED3976F0A621B7E298D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:32.191{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE70CEEA887F22AC1149BD8814BE607,SHA256=7FF74415A18EDB0B52692746897330157BF4AB8960A9B2A98EAF890BC20BA4A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:32.234{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=115F7B0DAE5315D80385E457C9F2163B,SHA256=EA1F82A5F20AFAB89DD58F4D6070B57649B47417C3A7976652B6BB2B5A35A971,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:38.116{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58899-false10.0.1.12-8000- 23542300x800000000000000030725903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:33.222{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A083D1E79D9F679CFFC61D1A616EBF,SHA256=5B58AD7910BD7F8752DFF081656D4B4324692002DAF444068E4177A81DAF6FF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:33.687{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16210506EF7C061CC659A6E2CC954A5A,SHA256=DE053F7D3AD1977D872E5E1EAD3FAD2F0E6F09A0FCB265FC4E52049D2B9886FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:33.390{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E2A6B308F5CCF39BDB72E18F060782,SHA256=0AD036918A2A804D71B54D46FD23982F3E4C96EA5453772FE0997E229D3887EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:34.828{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D205869CAEB81741D7A3B15432B4E7,SHA256=43720434767AD4322B1ACE9751780D13A7D0370D60E82BB739AB1DB3F653CF81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:34.406{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5733154260DCC5047D5B78F431922829,SHA256=715CDE39C6B46FC045C561DD48EB5D6A3DFD43A4234E2FE833E2D75000370CCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:34.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBB0ED539B2E6735756B39B60CB3AE2,SHA256=495519F34D7AF8ABF1CF09551F389B927E325F9CB082D2C80688FFD000F66A60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:35.384{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89D9E5B733510C5A1FE85A650F7CD86,SHA256=6F8302DCEBCE41D79FE59F911842BF13CAC61AAB651E3140B946CE5688C7C5EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:35.422{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6D343E5AE9C8E30D0BA496096FBCA7,SHA256=78317C05AD061A49860744AACF5063A8F19DA40390E50EA85F59D936F1010EC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:36.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0B98A1DC4ED66935BA153BC08915D8,SHA256=6FEE2610A44D51A0A26D35CE9E47F2C49DF5D548E5E13C6AF143BF2C32256B5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:36.426{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEDFA1E10653CC0168A7B9EB1915BF7,SHA256=FA37D1A827812019534D389CEC466F2C850A21F555A75F5CA4FC5995DBC94B3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:36.066{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63ADD642707ADAA76DDD92FFDD9AEA8D,SHA256=B2BA749935A3503E269793034095CB56BB7F94552A0F560494BFFACA45FB487D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:43.134{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58900-false10.0.1.12-8000- 23542300x800000000000000030725908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:37.449{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C930B5109DB222BBF1C6A742B01763ED,SHA256=E6E294E9CFF9BB988C8509404347BC9670368BA0F7E15159C8A6D2E77D95E920,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:37.457{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B735812BE5E998850D173C11FAC0064,SHA256=BC87D8ACB7FD9E4D54BE2AA4F8033B045B0F8801BA24082ACE1C1BED4FAFB4B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:37.301{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0666D8E568FE4880A95988831D5AB559,SHA256=A90D7C73F036637F1E3D99FB7F8EDA11F4AB76478768F710F9D33B3C3DBB5FE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:38.463{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04CB56A90E5041C8AAF4FCFDF272A52,SHA256=FB9B46AC159F477937E59D3FDA6C1DDF68E670BC863EAFBB0DC8109B188310F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:38.816{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=922BF067DD3BFBBF2EBE4EA820DBB36F,SHA256=E18AE63B9EEEA0FF464A2B96B02E992D58BC2F22416B91FED4FBEB1F4F62089A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:38.488{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8D51E4A8B08963D8EE4FA9301DEE2A,SHA256=C5BC4A05B6C165EF78F9087EC1DDFC9D3084294D418CFA3F24F947511FBE5914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:39.515{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F908EB60971989C51503F4BD19A3633,SHA256=BC2B7E2F245DBCAED00D94A01F46BFD70BA8EF953441B3971179E42C3968BE3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:39.879{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA16D652A8224E8FAE8E2E0C0FB18C9,SHA256=52D730B8AFD47532077A345DEF5C114DB3F8065C79EE0320F55BC4870B13F028,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:39.551{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB669BCD3427923B5277BF133F9724F,SHA256=40B75A5B24224569DEA9B15A1A00FE170D17868FD01A12CB7979A4F6A723210F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:35.022{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53827-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:40.566{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EAF7D2AB9899ACFA58768922394E3F,SHA256=F333A0D638F366E069519E9E35007B841441157ABCB5CDB4C536FDD0ED85D891,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:40.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4707A80A76FFAA51ED99D35902885998,SHA256=0F53BEE20748A8DCCD0E50DCCB12A6CE227535F51A458DE99F921F6E83C66255,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:41.577{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24A32AB571EEB1D808B40D23F252E99,SHA256=BF3CB149B20E5F9649D634B21F33D47FFF716432D4120DF4E5C260DC3C912D38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:41.613{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51258E42E1781E3C8A73674CCEFA1C28,SHA256=BA2272254D1D4B58491BBED43538D95C3B0D5B56EF4423FFDF439464F1256556,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:41.191{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5939CE5299EF7BF7AD776A04DD342D42,SHA256=674D11027E14A02CBC3D34E228DAAE3AA9C3F852E459AF53F3739A161E0B89E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:48.159{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58901-false10.0.1.12-8000- 23542300x800000000000000030725914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:42.596{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D843B5B9B798224975BA0064674590,SHA256=37FF5F0D037FAEA6AD2BA33C609E2D390A4CB8967E5B96B193F87C83E9F201C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:42.676{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10871B2C5FA6CB307CD05C571A5EFDF4,SHA256=FF99ACE34B95B8D1EFE5A7ACCC8CE5AAE4D7ADC8914B2F8D453E3EC095ADE888,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:42.254{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8780C8D99445355D0D92043A7EA97630,SHA256=62D68ED9152C80A2317DC0058780E66FA9B39127C3329AD7C82139D0A5CE06D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:43.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAB417FA4DC770A98742173BEC89C9D,SHA256=51C263F911E473269C2BB2FE82027591537E0A005B5637D0F485F93C37D954F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.863{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEBAC708186EF0C0FDEFD87043546C2,SHA256=0702E3F2CE9E82BEFC94E90DD5524492CC06E7483AA620765ABD5D27E3F59F30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.863{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7633BD583FD7327F2976F1A79C89D5,SHA256=983A9203C67CB91B5CB07FB0C7EC437A495B03703448D39CEED1850A4401D49C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.660{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047957335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.660{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.660{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047957333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.519{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C20C5A3AEF117D0282A6C48C313676C6,SHA256=381748EF725FC0F744DE0AA700D2B75AF8F365976A8213A3BCCFF4A23CB83531,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.488{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047957297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047957296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047957291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.473{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:43.458{3BF36828-64C7-6125-6FF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:44.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6868BB209BDBA22ECC848FF6BE9F42A6,SHA256=6D766CF3A5E4BC702BB2060ED0E4644E0AA712A453ED0708D6401FB151B60ACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.863{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.863{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.863{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.863{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.863{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.863{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.863{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.863{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047957411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047957406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.847{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.833{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047957394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.301{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047957393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.301{3BF36828-64C8-6125-70F4-00000000CA01}52322564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.301{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.301{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047957390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.176{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.176{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.176{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.176{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.176{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.176{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.176{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.176{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047957355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047957351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047957348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.160{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.144{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.144{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.144{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.144{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:44.145{3BF36828-64C8-6125-70F4-00000000CA01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:45.693{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEF935D3C030F4056AA9CAC6066AF35,SHA256=EA88B637F7D1E94409F2DC0503ECD6D537D478457573F96244BE301A6CB32363,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.972{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6E010138A16D0509A914AD04E494F16,SHA256=47EDE21C220A3739E8A95D5BA9E85D006FE10D12956C47268202DE5826D8D21F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.879{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E68198AA3335C733E90B4E3525AC62,SHA256=5040802197F7FD4CDA03FBC81F90949C36C5AADAF49301B1BE68784A6DB4C2F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.816{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8064B9BFF47C1666669B57988BE15260,SHA256=E14BE85BD66C5EB9FD335E86E9E3D179D36305F8C837677577F596A75C386C77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.676{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047957510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.676{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.676{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047957508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.551{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.551{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.551{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.551{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047957493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.535{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047957476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047957472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047957467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.519{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.505{3BF36828-64C9-6125-72F4-00000000CA01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047957455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:41.022{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53828-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.191{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1745CCC076C25807683B2183AAA76AAA,SHA256=4B4D6F168D1E6D3DE89A31C077123A4755C6D1C4A22937DE4B610CFE004697B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.129{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3954DFF29BECD0CB0953E95EB6BC1A02,SHA256=89A3E9CAC7634932D74E066817641DA1C4C88F3A8CCC96307480439767476B7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.019{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8495EB2AAB0011840DA51516D221F92A,SHA256=4F38F1FF47F760C3AC6476CA77009D69AB9A90CBF165195F85DB19B19DA6A776,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.019{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D2CEB81754BB2F128A4557AA016893,SHA256=0BC54118CB6E918BD97DD4DA8FDD738E553EB52EB0F231A054FDD9626E41065B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.004{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047957449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.004{3BF36828-64C8-6125-71F4-00000000CA01}11245524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.004{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:45.004{3BF36828-64C8-6125-71F4-00000000CA01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000030725919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:46.708{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E97769B8A62928B6795CC24FEA54BBD,SHA256=B0E984D1208F5F003BB8C2A7F066F158F2EA607AB7A04A03F99C386467F663C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047957634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.941{3BF36828-64CA-6125-74F4-00000000CA01}51121484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.941{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.941{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047957631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.785{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.785{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.785{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.785{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.785{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.785{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.785{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047957622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047957607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047957595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047957591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047957588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.769{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.754{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.754{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.754{3BF36828-64CA-6125-74F4-00000000CA01}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.488{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6716EC401764C181A28EBB801336AED3,SHA256=9A31C7F0554DC6BDCEBA108BEC002724165D87684DFB3D389FAC5FD296F12EF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.426{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCEBACE804B2DA2C433FAF123EB4463F,SHA256=51CB603F31762551E7279E2E87BA8744B6F3D5AAD28B84788F1AE7343213510A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.363{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CEFCE94194C10EF445618961EC57A0,SHA256=4F6CF657195083AC07BC8DDD0B0BEBAA94BBE26ABCFE84757DFF0D54A2476EC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.222{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047957574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.222{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.222{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047957572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.097{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.097{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.097{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.097{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.097{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.097{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.097{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.097{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047957563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047957540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047957538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047957537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047957536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047957535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047957532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047957528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047957525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.082{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.068{3BF36828-64CA-6125-73F4-00000000CA01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.035{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C4CCEE6831A06BD56F8E5E1201B020,SHA256=26FF8321B689A893E99407E146439A26D528C48A7BA9643553AE9F3C5AC049C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:47.739{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61883C2B4F8A96A3C22171E332108D3,SHA256=5979599B88672FB0D87770138AAB2371B60BF8AE4E509D2C07B60B3CFB51FCD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.941{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66299C0305802BF8253E36A3A4FE4808,SHA256=2D3A17D7540087551468659319FF63DA2F7B228FF5EAEECACB766D12CFDBC995,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.879{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D09B340AE990A9F736595344A62EE65,SHA256=76607814B87F786DEF429F0275C90A2F42A1D09C2C0D604EE99ABB7D5AF178A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.613{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047957695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.613{3BF36828-64CB-6125-75F4-00000000CA01}56641544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.597{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.597{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047957692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.472{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.472{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.472{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.472{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.472{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.472{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047957657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047957656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047957653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047957651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047957649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.457{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.441{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.441{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.442{3BF36828-64CB-6125-75F4-00000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.254{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A66C3E8D64594B1C9C70B08EEC86A51,SHA256=60CAE47C4C07A751B6B48AAFF3E318DF72162DB45903B230ED8A2A8368AD5FA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.191{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5A4050EFC1E3956995C7D2EF7F28527,SHA256=DF67DB923B5CACEE2CD2A2F8DCB9502A733315FA2E1FC61F2D79CA7179836267,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.113{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BD4A37B1F4CF8F24382BB4FA97B0AC,SHA256=F323C820E015DC07C213FBA0E69BFFC9AABE87BB5AD3EADCD1119F80843C895D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.113{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFDD831BEB352FE8D9B96EDEBE20FD39,SHA256=D28A249E7C1F530A18A501A738ED97F79BDAEC3EC484844F8014E8DD32A9E563,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:47.113{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2CD3E52CFBE838CE1F789E218CCD46,SHA256=27CEEF7C5734F6FCEEA63B803C6AAAABE7E27404AA1F5C67EE40E4EF9145CD00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:54.054{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58902-false10.0.1.12-8000- 23542300x800000000000000030725921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:48.771{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1C2636275F727CD13DB31DF3F25389,SHA256=A38CB574B836499BA54903F697229354A3C5A7207F251E71D181063F37C3D59B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:48.160{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DC7D06D65CA50C54DC04AC6E8012A19,SHA256=2CE5CFBE3CC326C3F2672F8E33E7830519C920D4884AE19A6F80CEB9F5D89787,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:48.113{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEECC4F5EA5DF878872F4DF8A3400D00,SHA256=6CD550228510CF75DEDD8F56C9AC9CFD857BA59B73E775F6FE22B265DDEED53E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:48.004{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B704EC86A3948DB5BFFB3EB2D55B7991,SHA256=5621A1D24E5FFD00DA8BB938A4B68BEB3FA25C0FCC9567C7F47B39E5960CCBDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:49.821{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B992F5172707D8E0171E4BFA5D6CAF97,SHA256=EAE98A88D4E277D74202ED42666CFCE29272D7B6CAAF2EE3D025EE8561DA3C0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:49.301{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=386BA7423AC7CA34D31B81215FDCF322,SHA256=6BB9566812EB8934874A34AC53B3E23C418EEC802DFC038295381415425C9FB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:49.144{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE3780FCF58F88C1010501315700BBB,SHA256=916518EA6CCABDC23C24056AF7F97BA4573392AA35F7E3722970A3947281380B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:50.836{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9985C73D1C77B53A2EC30EC91CD4FBE0,SHA256=EBC3A0ECF372DCDD3BC8B5740E687230D6521FB884CB992253DF9E587D02AA7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:46.022{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53829-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:50.441{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BE41F921D78452007412297A573C1D5,SHA256=B508FFC8C7917BC76339068A611129E5D3B6A9EFB58C182F58D4F94954757FE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:50.160{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E511921E01343D25D577AFEC85F651,SHA256=5782BFFBAA58211613901BBBE8F7CDB816C65C2BAE56EE00C405BFBB9427F577,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:51.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B841D5DFA94D093400151BE4C9EA4AC,SHA256=674902CFBCA9FE4510F8A4561B56608DC0B4AFF5C744A4B4591334D5D4A74B9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047957723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.926{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047957708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.582{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EF761BA7EB87DECEAE3EB6D0BB73ACF,SHA256=2A5604B5ACFBCBB22024F54BAB61299AF272DA92D7B77DC38D4451C0A233EA80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.176{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CADB05E750485C0935DA49C9A1D3CA,SHA256=6961731695FDAA01D6BC3EBA7F0581518752A2318754D9D09719F5618EA7E82C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:52.867{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E463AE846B2ECE7A069008E589F1481A,SHA256=B957B888C1FE576DF4FE90A5EF15F2E76FAE33AC9C778BF07D66AF5F9C3F4233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:52.723{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC21DC570086E38006965ABCCFB793E0,SHA256=9024D01FB71B9E535B86C6A630D2BCE0AD63F764431A4F85BAA37C3D442D53A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:52.222{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EA870B501E1B97E42D1D62A3DEC792,SHA256=B5C5D5D860F9F39A1B601850B62DC89D35168AFA6F143716CE81D9F0CCA62F83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047957727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:52.035{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:52.035{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:52.035{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:52.035{3BF36828-4019-611D-0B00-00000000CA01}6284704C:\Windows\system32\lsass.exe{3BF36828-4016-611D-0100-00000000CA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000030725937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:53.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33926FB25591F1A7195E0E5B829E11CA,SHA256=CDB9EF5409B43F790811CCAB1CC1220E381AE6D2BCFE1B8883DC1C21E3370589,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:53.973{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C5AF3EB77F410206B5FAB5B1108715,SHA256=D711184E29AF8366C564BE40DCF9B1E00B08782D4CB006348F19313844FA00BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:49.885{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53832-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000047957734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:49.787{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local53831-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x800000000000000047957733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:49.786{3BF36828-401B-611D-0F00-00000000CA01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53831-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x800000000000000047957732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:49.778{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53830-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047957731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:49.778{3BF36828-401B-611D-0F00-00000000CA01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53830-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000047957730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:53.254{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0131BD953BB0E518493EE6D6732312F,SHA256=BA6405E3750EB720AECA092741FA627C60A9EC11E7B4127C62FA51D3DB6BF2DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000030725936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030725935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fcfb57d) 13241300x800000000000000030725934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79926-0xcc24b25a) 13241300x800000000000000030725933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992f-0x2de91a5a) 13241300x800000000000000030725932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79937-0x8fad825a) 13241300x800000000000000030725931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030725930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fcfb57d) 13241300x800000000000000030725929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79926-0xcc24b25a) 13241300x800000000000000030725928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992f-0x2de91a5a) 13241300x800000000000000030725927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:29:53.465{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79937-0x8fad825a) 23542300x800000000000000030725938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:54.948{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492D72CD05821109C19645A599547AC9,SHA256=FB7699547EC5DF9F72BC3C312AB25368412F6A3AECE84CF4767997175D316B63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047957751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.832{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047957739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:51.101{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53833-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000047957738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:49.885{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53832-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000047957737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:54.269{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795DE8E2470E186602F00704C1F0886F,SHA256=99E0EFAD27FE47EC42999574726CA786B5190172CC31BDEA9F1904E61A54CA63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:55.965{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0CAFC78FA102B7BB7F302C72697100,SHA256=F0F0829BA70DE1939D1BFB3375F461455D413A8D559E8AA37F4F159D3978E018,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:55.473{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AB9D1044C9B018338AB8C3EAD83A3B,SHA256=3BE07213AF1F87CF1B1EA4ABEC68027DDB9CE8A112F2504DCA7A9DF2D0B0794C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:55.473{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC9BCBE384B44BC2D4841851F196AB9,SHA256=9A60BE6E0AE4536F3AE3F9B54F2905065EC740FC4E9F75338220F3BCEBDAA7BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:59.167{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58903-false10.0.1.12-8000- 23542300x800000000000000030725941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:56.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE970F3608B23899EE80099684596D0E,SHA256=969702B998FF08181B8A07CD4C341E814A42E24D91FB1DF88C3E6EDD672A03E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:56.602{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B84F0E415F9E18ADC9BBF66B56B546B,SHA256=F54B611F983685390E2E3C37247DF51DCD59F9249438A82611EB451C55621C5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:56.508{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BF60A86BD99CD52897F38479EA48A5,SHA256=77CBBD8F17D2C18298411662B4FAF3502323083BC1E39F3126714B999C583C50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:57.742{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2D619F72D9AA16DBBE9F7C3A30F835F,SHA256=EB8AB0A48A3E0FDD223934B5BB9B13E7BF7F1C29018D0E07AAD85081AA728BAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:57.524{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1645A49BCA51143A8AD034FFB0750120,SHA256=75BF8D5338B3251567D64DC57A04628FC720E07765267000D0C2B6506065C752,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:57.583{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047957759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:58.883{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05B5ACC9CDFD70218A4ED1660E3CE6F3,SHA256=47CA4D0E9AEF1D4235B2E27CE1FC673E41019B03A5BCD492273308113E240212,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:58.758{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044D3508991726CC57FDD030851FCA64,SHA256=F29512B7C9DDE1BA194F800EE24D7F76E0C3AF0794B6AAAE583F215B659B21D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:58.244{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A953CA48B54FC7217CCFA2735215AC9,SHA256=31B9C4C64DDF48AFDEBE41EF18D98059D98A5F3F0C1E4171953943F117D26EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:59.992{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9F46442D6B92F0C59A7055CBFEEDA0,SHA256=DCA6CECA49E19677EBABCD7DD9A61F37E2D399E0E8F49677AECFCEEFDA8CC5D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:29:59.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C95E2A9EB16A81E3F9E0E7513E6C6D,SHA256=5A41A268EFFCFDF59EF1A7BB79691B4FC63066E7D1BAEF446E091F905D263C44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030725974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:05.191{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58904-false10.0.1.12-8000- 23542300x800000000000000030725973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:00.280{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8896E8E37D4567D0B1152DCEC96F708,SHA256=1F3EB3FCDD4409E01C904A2DF8D1C9254EE286C06782F225A4F4B5B11F4BDB14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:29:57.058{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53834-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:00.024{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D40A70BC927182DE285DC708EED1B9E,SHA256=3604352800485AA047B6C43EF8500BE7C966ABE51F432809013E841FA7771B36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:00.180{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E4286DA5019747DC59045D7DBC700BF0,SHA256=F66B0A382CC7E3D4B6A350D57EDA45E5628F732FBFF7B7A8D9EBEEF4E6703173,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:01.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EE2C31F1BA0C57EF6306D4CCC3EB9A,SHA256=336D83C3CE48D7607016879664A44F6238D08AE5BEAC0D98310F0D8538F5046B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:01.164{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D5F7804808E799549E3933B6356B204,SHA256=16C0C00E5103093C97F79317D7174CEAC2B19147A6B2CEF2B599FDCAE5D213D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:01.008{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F909341EE2FD8C87F0D54782234A5E,SHA256=9BDA7CCE10B02F93DF7DF630D9AB333A6A19B8A2A693311C160E1D0C400127BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:02.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CF00C800ADFBFED30A98DE1FD57282,SHA256=C547E9C07C39A01432797EA14ABFB679337752E0372235420980D7F7EA4CA3AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:02.290{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CB56E4126C96C701D3ED3667DA5B6C,SHA256=2C14F66BD9DE43237AFE0BDCC06A221544B380D7DEE61068E3A854898BC2186D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:02.025{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE74DA9120090CCB5F3EA8A0ABD9B5B,SHA256=4E3C1239D1F5B5C08962524EDD82BF76722F06BF1E8F302B3AF8C66AC95C2917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.861{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64DB-6125-8500-01000000C801}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.861{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.861{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.861{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.861{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.861{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-64DB-6125-8500-01000000C801}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.861{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64DB-6125-8500-01000000C801}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.856{B81B27B7-64DB-6125-8500-01000000C801}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:03.393{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5553786F5900204285E6A96FE2F822C5,SHA256=8F708AF48813345CA839BA615635CAEB215DC5DE6FE5360E3CA175BDE2424013,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:03.557{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8DAB219F7469C001D1DD92E406FD553,SHA256=836FC2DD1D4A0148760D9FAE4AFA96A3834F58E1450131A69A85755EEE91E515,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:03.026{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AB02223253CE9C9EBAAB0AA896789D,SHA256=E5C7E73028B695825BE488E19327F5D92C9FE6D2417C0DB837740D47D6DB160B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.861{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4F57292F6BE15A79F18350F67A8BEC6,SHA256=2D3B7C5F02BCFC329913AC795221C023269F09E931BB1E14B65F0335960C36BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030725996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.861{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E0AF8E0087C6C56078AA55A0DA611E9,SHA256=B322B37A7995C0D6D0A963516BA7C3BE5163EF3E6F6ACDDF1CF7C20AA054D46B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.508{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64DC-6125-8600-01000000C801}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.508{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.508{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.508{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.508{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.508{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-64DC-6125-8600-01000000C801}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030725989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.508{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64DC-6125-8600-01000000C801}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030725988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.494{B81B27B7-64DC-6125-8600-01000000C801}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030725987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.408{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDC46DD2D54A3B67F667B59C2A54F5D,SHA256=455177CEC54354D32782C571F5F5FE566684AC38AA9D30D5D6FA915882A76238,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:04.748{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C782279BFC0C68B49B7FB0BA79E0F6BF,SHA256=083ADC2FF865F08DAF6BC244E74EA640BFD5913136C3E6C39B7472447F74FD6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:04.029{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122C33F26C8C014CE5CBD6AC9B2D6B6A,SHA256=8C1D29AF2A3EA588D2CCC8B064B9B6A5FAC7BE2D66425BC321EB438409F1F536,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030725986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:04.024{B81B27B7-64DB-6125-8500-01000000C801}62285688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030725998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:05.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD54E1382EE294D7DD5E23129030DB3,SHA256=AFCEF869A1783254B70A4BC6DDEE468E1C11420C0B130E1B2AD962A73462728A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:05.858{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5055F3DB20E10C14DA434FE63E4E429,SHA256=1C21806FA87EB66C877DB39FE0290F22589FDD180D55BABE68CDAF5D1719EDF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:05.061{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E90B597227E27D2316ACB5A0FF183F6,SHA256=3AD569FBA646B137451B7BF0FD3A5C6ED5F53BF83A4F630C141D0BDC42A80B5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:11.186{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58905-false10.0.1.12-8000- 23542300x800000000000000030725999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:06.490{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4242EBFC3B4C3713B5D7AA27DEEF2FD9,SHA256=ED4B14973207DA1961572AFF236266B4D0FE55B13EC2F7EE4D7BD14FC4ABAAB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:06.311{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FD4D49B98748A9533E489E8772B3B4,SHA256=1601263A002CC16C2B231C47C401EEBF4D9CBA41D9F7EB40040EDC48783CC004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:01.862{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53835-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047957773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:01.862{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53835-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000030726001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:07.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142FA3A66C2DAFC4FBB4A3D5BDBA0DA3,SHA256=338556365A30A3E7643E0CF034771AAA985E3F5B6618FDFB13FE3E4071499E90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:07.342{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=238EAD9962E0F827B4EA5316D3C320AF,SHA256=2EBCAF09C16B667C15DE18341CB0DAF2A4D6330BBA363E159F1CE3D8B2C3549B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:07.326{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED9E409E5B6959E0F9316475823E3D3,SHA256=0D5EA30C5AE2B7F2171D7997998057DCED9E5235415413FAC521FD154584242A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:02.907{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53836-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:08.483{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D822D0E6F57AE800209E978EF51A2A2,SHA256=2D28C4E39B429235F8FBBDCC6EA373EE1C8F88828911E2B7B4A97A40AA1A8D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:08.342{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F4BB5EC647D6048460EC5E02FAC475,SHA256=859BCC0A4FDE672E80323A58EAF996007F729F44AA322101A60294BE0CE23817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:08.553{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FC83BB09962A6402432F8DE8C04241,SHA256=44F73D5943EE80BC7260CFB331611845E54EDC6C98895427E3F98FE0107A2E0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:09.571{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B79C795EEC0090B4B2679BD77F8C354,SHA256=3D508C0E974C28C4A7D2C5C74B4865E0907C653F568339F580AD22C871C5091B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:09.811{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=731FFFB03BB9E2EE3616B49995C96A26,SHA256=4EB348A2323A7F1BD938C39E458C4A4E2F19460A878557CC9026E8C5CC154282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:09.358{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D9296D42916A3F532E1C828B196265,SHA256=BE8FF68A41C650B11CFAC8DF6C9B99EC5E0A29144B19C941FC7EC0C2F7F33B87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:10.654{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79F7BD648F9159900797998B984B241,SHA256=EFE696EEF09AED740A2D8096BB6833100C868B112B6402565CBEA9BB74808983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:10.842{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4EF220F9D6BF3B74CA26D901F9E5586,SHA256=96C61F5A0945B0A07B99C1C7E57123E5D1393392DDD31600F6A61B3B4864B5FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:10.389{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C1C4795FFF4521287727E2E533B347,SHA256=002F42F5F89B0B29714FBA876C482F7FEA8CD5C05AC1EF99A6BE3A487565D974,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:11.669{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A6C438E685EAC56A6AFB356801FDD6,SHA256=E065A7CD19E162790BCEB746B4A808917A5391CD2C420AF990C966B29093201D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:07.985{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53837-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:11.686{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:11.404{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96EA14E52ED04F3379A2ED52C738F50,SHA256=59EEBEC2CC792350ADAEF5C6D7619305F67547B6D296BC322F1FA3372F65CE41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:12.700{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C6A2B83729856D5E9172CD0320CA38,SHA256=F36860BB6174D687A8CDBC59F92AD74BFF207A5ED6479337B41B910FECAA3C41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:12.404{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7F1E4C9E6DA706B88546C010C1ABFC,SHA256=275737DD69C9BD3F9071C52E8A422A9F383EF981D8F81ADAA98E4AD92CBFFD0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:17.133{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58906-false10.0.1.12-8000- 23542300x800000000000000047957788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:12.108{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05C7DC943DE4F6ED9DCBDFDF3871758,SHA256=6EA59AC2BDC292021C44E8E3AF8CE62C0719FFCE5C66E4D20673E1178E109399,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.752{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50803D21F649CA678A99E693968D28F9,SHA256=5577458587DBD70E532EC9A838490A7BE7767466A114F9B5E3779DA318374533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:13.436{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D15287A685203AF928CDA8FA4D3BF8,SHA256=2605D0F644B96200F5F4CA6E1DB4AD4D219483F3BD6BB3BE6F8425AC8884676A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:13.436{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1973B5F140A648F1B5AF5AAE642D1FF6,SHA256=0C98C1D04993308F6402A66C25015E1ABA868248F4D1B6F93CE98313E9DF6574,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.531{B81B27B7-64E5-6125-8700-01000000C801}69565268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.331{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64E5-6125-8700-01000000C801}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.331{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.331{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.331{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.331{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.331{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-64E5-6125-8700-01000000C801}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.331{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64E5-6125-8700-01000000C801}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:13.316{B81B27B7-64E5-6125-8700-01000000C801}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047957790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:09.501{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53838-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000030726028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.783{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA42B84E2099C00DBCECBCB9741FD524,SHA256=645B4D48E97DF97C74C5AA19047BC7350787F529224BC609BEBACC4BBCC99974,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:14.748{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A56EA910ED70DF521A19D284659EA6C,SHA256=29EF8EE0363DAB869B4579EB3E0860F578C9D23072459B608CAA9291E14EB2B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:14.451{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3DCE47C84A21F94EBE5F2D6BA2AF03,SHA256=E1DF7B9C9ECFE391D6492997C42BF4857462D197058BBFD4BE5ED77FA48B1642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.315{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13292C455FC63F8488DEE01C40BBFC48,SHA256=950AEF5A5B8DA6B2A1A482D6805A7F2B5BC3AF8545519F7BFA6897143E985EAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.315{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4F57292F6BE15A79F18350F67A8BEC6,SHA256=2D3B7C5F02BCFC329913AC795221C023269F09E931BB1E14B65F0335960C36BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.016{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64E6-6125-8800-01000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.016{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.016{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.016{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.016{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.016{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-64E6-6125-8800-01000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.016{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64E6-6125-8800-01000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:14.001{B81B27B7-64E6-6125-8800-01000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:15.798{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF16F1FEB086B686AD34D84FE02A0B09,SHA256=69433530E42962F4B06F224C08356BBB8200199CABB3F2586E1B4E118B179C4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:15.898{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4B4EACF49992BFC0C3E846D0CF41F08,SHA256=CC9C5F76B65D962703C4D4F9822A73844F22384AC8B2F4672613337A763D1B07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:15.498{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89EC8C482A49651448458995B27D133,SHA256=D398BB52BD0023077A8ABE60C0CF77E4329B3C741F6A6F8E88D2C2E4B8EC6479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:16.829{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E5585EB223CB822B1E528B20918D94,SHA256=49E7F3703DCEDACFFAE7720108EEBFA09A4C55BC88DDFB08CE7AAD2F6DFD738D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:16.507{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A89BF33B3B1B50AC960F67B5F64E34,SHA256=C890A26B6FBAF018DD8CB4FD43E43EDBADC7457AE1F247C218FE695E4A210913,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:17.846{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D243927202086AE5965A5DA285C31F9D,SHA256=3D4DF2A7F0A4B453BDC6FFD6FBC7BDE23AB65EB4628C85536D5E7786595D00C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:17.523{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90529426B72770A0B9402D2ED903D68,SHA256=88C7951697E2DE84CEE144803BCECC19E19690E9609A410CBB95E81A701E0A57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.128{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58907-false10.0.1.12-8000- 354300x800000000000000047957799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:13.032{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53839-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:17.038{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=689DF5D58239707F0640E3C209DF7C37,SHA256=46ED9A188990B7AA0F2EF634755DF1FD86C9925CCC32B546745FE82E684987E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:18.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848C963156B4B84E16949B7A79D498BD,SHA256=2197315C6C50E238932C74C8ED6A033855E4F84D01FCB1C2E20A70EB5EDE3DC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:18.585{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BD2843971EBBA60A67F61D0CBB7A4F,SHA256=5FCFF3C0CFD084A99399349D0EDC7C38819581C4CD614B42031E23AE5C79602E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:18.257{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAB52A298F1D8BADAE5D0E82C424A1A9,SHA256=8E3997F817C02A89E9D65F6A885701933E4243FDD033B4D15BA306961927B0C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:19.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B100FB7B97A5C5A227687C7474D480BD,SHA256=E526818B11653AD69A707B59C93F853096D07FF70895CB2765CF301565A8CBE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:19.773{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E19C97C23351C629D9567BBC96FF46F,SHA256=8F8058C525104A0EC6F4515E65E597AD92FA115EA802BF4AFFD12F11F8C22925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:19.585{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BAC8EF6932478A5FBB80462646A30A,SHA256=28679CEAAEDC8055C02DB8AE09A834CD241138A367AEA7205029046526EDC5CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:19.311{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340A24891AC95660839F29B0ED356540,SHA256=3C62B5E705B86766F7AB7F3BFE599E43273254179DF44D0A7C4DE11CDE9DAE35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:20.898{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BE7BA06F93BDFA717AA9139E5F06F71,SHA256=1A8E8C698B672EDA033E4C8958FF3D93006DBCE96B4AFBA3E254251694D639F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:20.601{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2A49B6D2159CB4B485F5BE779654D2,SHA256=FFF0753DD95C23FB9CFA4D35CE659AC70879133D65336E7C0D570CB531804713,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.878{B81B27B7-64EC-6125-8A00-01000000C801}70367052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030726053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:26.227{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58908-false10.0.1.12-8089- 10341000x800000000000000030726052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.710{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64EC-6125-8A00-01000000C801}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.710{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.710{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.710{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.710{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.710{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-64EC-6125-8A00-01000000C801}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.710{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64EC-6125-8A00-01000000C801}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.695{B81B27B7-64EC-6125-8A00-01000000C801}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030726044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.210{B81B27B7-64EC-6125-8900-01000000C801}17721940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.026{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64EC-6125-8900-01000000C801}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.026{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.026{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.026{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.026{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.026{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-64EC-6125-8900-01000000C801}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.026{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64EC-6125-8900-01000000C801}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:20.011{B81B27B7-64EC-6125-8900-01000000C801}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:20.460{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9CFC57AD4060926645F605D30464F176,SHA256=9CFA11F799289B3C050F96F34CBEB410B464D6B7A52FF807EAB7A3DC0495654C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:21.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EDC96467803A1638AA8E4A6A4DCA5D,SHA256=5469D2601D963F80D3D41301AA406DA74F5F68D39201D79ECB487FCC26729F1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:21.617{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47159DF18B235C711E8F29109669BF01,SHA256=0041AD3EDA31D73971AA746FCC20B274C7F9177B67575634FD740770E84C07C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:21.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A8A2618706B82EEB0EA0C7CB6987045,SHA256=93D6348F4A00B6743E361FA94DF94206895057B1B2E8393B583A1FFE25F0567A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:21.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13292C455FC63F8488DEE01C40BBFC48,SHA256=950AEF5A5B8DA6B2A1A482D6805A7F2B5BC3AF8545519F7BFA6897143E985EAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:22.941{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA3F2160E7954164159818759E22C9,SHA256=0A5786A3DB93B5E15C57ED28300D8C9F5DF56FB64BF7DC1140D91B7BF39F0204,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:22.648{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D35F0C863DB236487B1F7311EF94261,SHA256=5522641676C3115B29626551A05EF87AC195ED6A6626A461A4A2120F61B8D411,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:22.038{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D28006B61FDCF7BAAFC500C70A32BE,SHA256=63FB6F1DB57E16E24C01360673C120548D4115B1631FBCA5D05745350A0F02E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.961{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BB340F1C0025A8A1CA8BCEFE86B0CE,SHA256=6E0A608165A0A9E74DAD0B123833325B42CE1E3FF0C4114A9A5ACF0D1C01739D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:23.648{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6320203A9437D77E708C183A7A6CE0,SHA256=970AFE7443A7C589391CFEAF31A37FF5E78BA3A5BC66F606A3EEECFC050E3A5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:29.108{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58909-false10.0.1.12-8000- 10341000x800000000000000030726067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.108{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-64EF-6125-8B00-01000000C801}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.108{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.108{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.108{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.108{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.108{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-64EF-6125-8B00-01000000C801}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.108{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-64EF-6125-8B00-01000000C801}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:23.093{B81B27B7-64EF-6125-8B00-01000000C801}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047957812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:18.900{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53840-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:23.445{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8E7F06355E47FE5F28F4941FC67874,SHA256=7BA86F59C9A817053A26417F24868995DBE016AA7F261C24D5C42084246D4F4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:24.992{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0C73CED0E9354EF046F28AA13BA559,SHA256=3E9FCB0DCF5D9102F2667705AFA75118271AC643372609C0874D57693CC5A08E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:24.663{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C004C7797793D35D9353FC8ADFC5CFB8,SHA256=CC8CBADBC0247FC74534E0F514F3F1233F77BCA9987240B444FBB54AB66DA5DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:24.108{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A8A2618706B82EEB0EA0C7CB6987045,SHA256=93D6348F4A00B6743E361FA94DF94206895057B1B2E8393B583A1FFE25F0567A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:24.554{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DA960E63EE6852FC063224C0D2B2253,SHA256=CF4E7ED1CE3C791449B4A00BB138561392E1E391D303ECBAC923BC73F5D63D39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:25.820{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=310BBACA383BD27128CA53A3DE90F037,SHA256=4E1E88101CDE8A42038E77751450A970D6D3A2C1A869F9BA94A43427D14E74C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:25.679{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E983725F6AB9A7C1566F6543602AD41,SHA256=290B07C11AA93B96A1FF874C7699F84C9420A79E755EE227DB7723400F8CBCA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:26.960{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A3113EDF0A6E4408795D2A9004A626C,SHA256=F105DF675FB48288CF9719290D6D5B02B929DEA9FB9D44DAFA9A7D7D55CE9B37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:26.695{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641479D8D9325E0CE037620582F0FD25,SHA256=792372D4BAD529325489C71AED6F36EE47984B53A544DF6B14245AC1B5713D72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:26.022{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAFFA711D26BC4CB752C54E34B65537,SHA256=4564548A381B4BB7F0A041FAD33846197B3994C7E801A219C13F823573FAB3FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:27.710{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1AA591FE782C66248DCF106B64CDCF,SHA256=1B542CD18B8F5CEA127E22F0E0A75E1AF07C1909A50F84A330144F40B6FB4189,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:27.038{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD83567E3521F45DC2E61C66D1CF96F0,SHA256=66FF4392269049E51A5A395E19E70BD780F4571DD17C9D8C6D3FC697799343C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:28.727{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3862F421B6284D86076D57DF8116CD73,SHA256=27127EE1D08F3A47C7F94781B4CB371C07ED474C40E412A39CE86090AA69C0C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:28.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C78101FF9EB39B75BB2802C3A532BE2,SHA256=7E0461B7DC680B7198766CE816BB5F924E8355469EF7BF0A562E19ECB72F3E62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:24.932{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53841-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:28.117{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECEE667856B9F68B303E7E7636E2C75A,SHA256=D05B9D6AE0E056115A7D917FF273DD91B325E4700D3FB1E99F13C38D782E89EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:29.774{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99F118627BAFD32CED47B5827CD7764,SHA256=CDBF95BC649CB8FD82A9E2E04342865CC3E4C4CDEA58C1EE1A54A05AF28CBC3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:29.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E941F28FED329D62DEECDA7AF11AE4,SHA256=6C35CD09CB06FF13384034B9C1FD0EDE4DFD4FC8FD20A8933E461E1067019D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:29.399{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E49CCC1CF88A1919475168B6A11A7C0,SHA256=F2C867DA29ADDB3B668CE55CFD8F986BD644FF872E905367416AAF1702398A1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:30.805{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AC3545A87C77A5DC89E0476423DD94,SHA256=B62E3C5F3927286C42FC6D04958A61ABE756D7E4EAC685A27326881551AA588C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:30.155{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B3082AC7DD96DE930DBA7C6AE22B14,SHA256=E3C45D22EEC871F3B5F39C1AF7989D552421CF42FF0D04990D4E0A3F739A8D89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:30.477{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB83C931AB641BF781ACB796BCADDAC,SHA256=30FA452B9645866F1F64F3E87611664A722EAA85CD4AD4D7A5F9C056D59AF806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:35.091{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58910-false10.0.1.12-8000- 23542300x800000000000000047957829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:31.821{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F86F8C70B168FEE5349F60FBE877756,SHA256=92274E7993E935F949BFEF3F9FA018227CD867EF7289A10083957541E9732DE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:31.170{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ED5238260F1503EE63C6404103D06F,SHA256=91D561366BF23AEEBA92191EA512AF59705FC70F03B6A7DA0C36BF6B3C4F7611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:31.743{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E411A7CE9936BFF78A434D1375462C4B,SHA256=4442B8C3C2264CC862C28EF5075D91F337C8B12FA3FE4EBFAABF087B561B350C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:32.852{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEF2F8FE81F1276B4BB86D0E8078D5E,SHA256=99B11F128FC1489182433D7A7A7A9D1CCEEE9B61FA665A387B4DBE9EE54FB852,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:32.185{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F1051A9EEBF883E9DF9E6C8DFE85A4,SHA256=74C99A3A37B3C4C90DE488E60FD18D0A60C97C0F72B24E76FDEEC75BADB83871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:33.883{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E50D06FE1A6AAD09D827CDE05317D13,SHA256=AF76EA6313E30D0B294260D02F28F9DF88E960E9104BF2F76BC001DCD7E4C432,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:30.089{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53842-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:33.133{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21F2FE2D468482F84BF6F6E0EBE4A2D6,SHA256=DDB1BFD2AEA65F73F370145FD591B3B47E8AFCE98497876D2C3FA419F40D4763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:33.233{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F33A88167C1AF0D409845BE5BE618D1,SHA256=034CDB69912FEDCD4D8DEF516A63ABB4E060929F6301E8E76E8284FABB2FF859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:34.883{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7CB7082F14E20B70C4671647AC1417,SHA256=2054E5028CF647EBA8FDAD5DB57A89AD68197475ECECC0F9F5B6A4E398ECE43D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:34.267{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB8BE7D0E79122AB57D145FB4BA4880,SHA256=1DF4FF92AA7B5D13407B246D3DA5CF816C95FB355E8715DD5E4C86A046F63B69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:34.321{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB03A249E667FE2FA49C2A6A2DB390C8,SHA256=B7CD2F0DD10C32FC56FA2F434EF7E0E7714E79790E8EB5BC004D1439E69D77A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:35.885{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F8E910EEF80546B7D8D2EA38DF0D0E,SHA256=5ABBEF86D20347BBCFD589D1AB5657E55103AABA17538367E2D820776E6C5E19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:35.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE8C1C04E67793E22AC8BB290403EC7,SHA256=1478DEF7495FD026B357019532BA75F2C68107E23BC07868C9A94511BECE0396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:35.415{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6724CE951919056FCF304A9677F143,SHA256=22654B348235EFC2ED5AFA10E919C74E37C54FB21C73B03696B8CCA28D175B5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:36.901{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F317728B438584F63243221E655864A,SHA256=1E2BA2C19D16CEC74467C77BBACA1F09490C4649B8C40DD87912ADAE1E2C9A7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:40.983{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58911-false10.0.1.12-8000- 23542300x800000000000000030726083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:36.297{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A3ADB0BA2A87507633F75C35881206,SHA256=1F20C5FB6EB9CBC1B9F369DC4FC1DE4C38064E949F7882A63763427F3F640061,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:36.667{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B12666AF879541337486F47A14EAFF8F,SHA256=D5FFD11B7C07C8416CA49D735D88A4D70D6BD63FD7FA90D45453ADFDC485965F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:37.932{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9676D554C068D2E94CA4605CA020DD7A,SHA256=E55AB83624BC3675E0A9F224495CB625BCE4F4B5FF7E31B1C31FE37C7D35A461,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:37.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA36E9B8CA63F61730A057BE9A6963B,SHA256=FA0B10269B9AB6E7B28044DC535E21849F45BC715A41ABFF83A37CE8397D8C8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:38.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B755C5DD56C19A65F89FCD47DA6584BB,SHA256=E773D804E9D808BDC41803651579C6921CBA4B9CE328E3C5BB6A2E4483613642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:38.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0CBAC6228312C88FC0F1E9F6226793,SHA256=07CB64F9F6872DEB7F626854B6D0B33AB20CFEA6982946F701FAB2B52E9C06AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:38.167{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25EA85816703E513A25F508DAD11584B,SHA256=AD456469243D06D64A818BD1929D12B751222E06E4D41FDFA2EF2D9CC575E838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:39.979{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2292B44D1C207309173F37EDC73EAD3,SHA256=7E0DC988D694E082345B47D5CD856F2D093A3EC1105016A5F5B4AE7CB28012BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:39.428{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8078799E91BC812BFDEE92F054AB3E,SHA256=26C0EFD9FEA847BF43734B8929458630B8112E6627E26404EC79D15431A73FC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047957844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:35.997{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53843-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047957843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:39.495{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A6E6F382C42025528E12FE024B0C500,SHA256=17D285D993B5F958356D795AB5C67977A845B90EB61EDB2307450E8A8CDD317E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:40.995{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC1E2B16A78C3C72F91FE09EFDA735A,SHA256=A9C6AFE002809C021E73BF6BDAFE2469A46EF69E5F9DF79F5DD921CCEF7963E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:40.461{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2697C171DB054BB8127934E6C44A90CE,SHA256=8C15A7565369107FD6DE13D02E490A4DAD74C2C91D763A9BCD38BEB7D6ECF9AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:40.542{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52C3F05274335DC000DB2EF581CC1C2E,SHA256=B0A0B49C639D96984CA58C22737A8674A404A69AD942A851E56CF7A063B2F25A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:46.109{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58912-false10.0.1.12-8000- 23542300x800000000000000030726089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:41.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BA0864D93AE3F8DC8F9F97FA8CC198,SHA256=48603173E8EF8F52E638B78371EF7DAE8F3CE750A72E542CD8943C02AF29027B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:41.776{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C57B02A140895B145E316D48F9C31AE,SHA256=13F46712F69F622FB2A87FD64F46120BD5D4880B8A102FDF4B6F1176BDFB3928,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:42.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12614D5DBC739BED426FE610F48A00FD,SHA256=3FC286778E2341B2D582C9F7EFDA8F7ABD8FB3388ED9A31288FC7C84B7E5D5C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:42.010{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FA098D19C5E53FA858827B21157AAE,SHA256=AC2B5072EE239B0652E0515F30D46159AB6F0F0D11EB90DA38EB1AA036F1A070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:43.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6404A0C95005372D7F07A65B1B9AFD9,SHA256=A6BD234AE5D8AEE6983E2A4E9831C43DF8E5F2458758413FC985F80A3F51C486,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.635{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047957911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.635{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.635{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047957909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.542{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375AB2BC6B71970CAA045A1EF88C56D6,SHA256=773B5573DD57C7052E0EAC13CD5495B6E8C5447FAB889B512A371E8753849181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.464{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.464{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.464{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.464{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.448{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.448{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.448{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.448{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047957899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047957877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047957874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047957873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047957872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047957871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.432{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047957868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047957863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.417{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.403{3BF36828-6503-6125-76F4-00000000CA01}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.276{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B07432419E83D0666761F3510D61B7E,SHA256=C2D45ACA64A41F1DFA3873B20AADC7739D2E6B5EBF514B8D41E22EA4C12E79FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:43.026{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528A536D53D85C9425300FC1022CE388,SHA256=5F12E8E670E4ACCAD1BCAFCCA5FBC34D2434EA747E9982E49E2B2B92AB1FEDBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:44.604{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8DE2ECFD6797A62D570A3151F22B0A,SHA256=1B0DF8F3B34F1CA80EEBEECD1566C28071390945A7E7D08E6BAA0AE70CE2D4B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.979{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047958026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.979{3BF36828-6504-6125-78F4-00000000CA01}14285552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.979{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.979{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047958023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.807{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.807{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.807{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.807{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.807{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.807{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.807{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.807{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047957988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047957984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047957981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.792{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.777{3BF36828-6504-6125-78F4-00000000CA01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.557{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD14BE48DC612192C43E5709E4BB54A1,SHA256=63B2ADD2BBEE3D7C729E643A71575DDD73ABA85ACB75D203B919B42C22981FC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047957970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.526{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24AA76AAC76612CC0F8B32D4ACB4EF43,SHA256=39653B7C62808E401D5510C9A0B4803E9F9C1BB7651B0D63A08211EE37E6F744,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047957969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.276{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047957968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.276{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047957967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.276{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047957966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.120{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047957965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.120{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047957964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.120{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047957963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.120{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047957962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.120{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047957961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.120{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047957960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.120{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047957959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.120{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047957958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047957957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047957956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047957955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047957954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047957953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047957952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047957951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047957950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047957949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047957948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047957947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047957946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047957945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047957944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047957943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047957942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047957941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047957940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047957939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047957938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047957937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047957936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047957935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047957934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047957933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047957932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047957931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047957930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047957928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047957927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047957926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047957924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047957923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047957915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.104{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047957914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.089{3BF36828-6504-6125-77F4-00000000CA01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047957913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:44.042{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6288CA6A8F950BA0270C55C873A6A7CC,SHA256=CACFCFB02FD4618AE6B76FFA8A7C0D10714ABB944E78793A0A3BB63D2198F6C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:45.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93D6E8AEB2EBAA8D5CC58F646AE7DC5,SHA256=9803BEE67FB365E6FDAEE970D39ABAB54729ED0CED91525EAFA3933F10C3A1A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.979{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=369E304FE34DE1284AC576714E6DB803,SHA256=1860C110695024D64BFF9E21A015C5157AA12B383FBEB2562299117A1AD404E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.917{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.917{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.917{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.901{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.901{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.901{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.901{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.901{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.901{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047958135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.901{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.901{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047958120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 23542300x800000000000000047958110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE776369529FA6B35FABBE9A72AFE3B1,SHA256=7C8321E39143585299128A6A0874AF53E9AB5495CE3B33B03BD4E3FBFCBEBA77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047958107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047958104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047958100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.885{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.871{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.807{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8638241BB71DE658A4768FF6234FE2FD,SHA256=A6CC3C885710C02A9650D979FB6F6F57C069D55F02EA85ED26905F928068A3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.807{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5819A9A08B868901D29A4C2ECA1FD1D3,SHA256=D1A0AB481DD3CBE16E53EE98F7387AC218A1D7CD0F665EDC3E1E4D5BE2D3555E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:42.013{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53844-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x800000000000000047958087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.573{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047958086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.573{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.557{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047958084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.370{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.370{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.370{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.370{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.370{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.370{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.370{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x800000000000000047958077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77C62210C092FA43FDAFA0F6621121AC,SHA256=FBE7C25B057E15063ED4DDF2ED0B85129528CC1B92A201D0E0B9009CB67F7B32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047958070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.354{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.339{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047958051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047958047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047958044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.324{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047958042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.307{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.298{3BF36828-6505-6125-79F4-00000000CA01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.292{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3965E3F7928052585EDF53D7544B9CD2,SHA256=0CB26A66BD57999E2CC92CA08297B5743724543B76BFCD7DB40B095239E5CF1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.229{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DDAB12128EC49CED9C0AF67F6922656,SHA256=4177FF183F2DECF5B4881577B04C7A3B7195464E14E8379192175D62AA9A2B68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:45.182{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FADB07DB6595B6019E9CF3B09EC1D65,SHA256=4EFB103E1091220571C5540F92E80A9C80736E5C86DB66AC15B309FCD956932C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:46.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128AF2161328ED7BF5E6399C58948F34,SHA256=E40E2D5A5FAB3F76A90B4440FF9A987C4516591ED8C883C621214EA390AC6E82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53DC33E8C93CB030EEF7AD111AC4A2F0,SHA256=8511229DC4DB01F8AB7A99A300D9FAD9050868C460D7F49DEFB3747CD2DF7F56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.885{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D1D0BBC7551173F18B33E792ACD185,SHA256=53F55405FAAE146BC4AA175CAF2ADA8CBE6F9F3BA948B16CA4502278EB7273D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.854{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DEDD64147B8D4C66861709EC02F5E8,SHA256=CEBC8EF9A9CAFAFC2E1EEF2CE68AEF0862C3D4F7E45E1E67F8412C4D539D7AB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.729{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047958209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.729{3BF36828-6506-6125-7BF4-00000000CA01}50285760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.729{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.729{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047958206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.604{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20DB01BF99B6E10D1FE585BB6D205EAB,SHA256=215FF2C28EC53489ADDB01D7E46FDF1F795788EF4303F53F0BA5891DD81E8C09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.589{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.589{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.589{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.589{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047958170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047958167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047958163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.573{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.557{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.558{3BF36828-6506-6125-7BF4-00000000CA01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.245{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C3EE3CE68DBDB83211FF660FC310499,SHA256=99723CE0A4AA9F001097F760519CCA82B14F27EDC2CEE466BFCA58271ECFAEB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.198{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FB81D6528038DCF269D20507A370B0,SHA256=DB455AE1363716EEB2F55AE3D6DBB81E764A5D21E629D2F6A3E25E3EE9F167AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.182{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BBD6ABC654A780B2277E4021FE33CEF,SHA256=2DF5CF1A8B69468A52E7253FBADE655272643458E7D9F9F1831928015036B041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.089{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D0C4CBC00FDC75DA812F7B973701767,SHA256=B8FFE444C6F6B933D66A128293BEF04A81CCAFE3FD4CE718C032E45F7AD11D86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047958149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.057{3BF36828-6505-6125-7AF4-00000000CA01}4445712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.057{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.057{3BF36828-6505-6125-7AF4-00000000CA01}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047958146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:46.026{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F21E60629E9ACB50154C5F4BD4DA251,SHA256=5D7F5FDB135E2A846C7246B7E7349E18ACF65BBF9834C39FE86BFCD2B9E81F47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:51.973{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58913-false10.0.1.12-8000- 23542300x800000000000000030726096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:47.701{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680DA65A9A4D799BCB854FA7B7270369,SHA256=D8B4DCAFFF6C2823493F156DFD36C49AB350EC9D8D941F5000C521B987703B43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.401{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E50CAF32B7F2663526C19547DBD9621,SHA256=AC5A8EB60C9CDE30105EAA1F96A856BB88DD41BD6FE1FAFC5594B1CB2F9D6E2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.276{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047958272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.276{3BF36828-6507-6125-7CF4-00000000CA01}15724076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.260{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.260{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047958269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.260{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882E677FFDEC1F489CD245A003D326B2,SHA256=AC3AD8FFC9C32B57477F4FAFA5F3853B65CD5394687C49290FCC8CBD837ECB6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x800000000000000047958260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.135{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C0A8DFE3BDCF751C3B3950006EE9E81,SHA256=451DD459D880E42691AB3BC4E93A46D674F6A713EFF93187903BC1E96C3619F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047958234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047958232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x800000000000000047958231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047958228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047958225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.120{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.106{3BF36828-6507-6125-7CF4-00000000CA01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.042{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2786F6597E761D63E7CDE6AFCD900F9C,SHA256=AC51D4727C4C5F85931BCF1F3707327170449919DC0867DC15C5CB75E4D00BE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:48.717{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA22CBA298F3C61477DF6B452700A01,SHA256=FFB4C6D5773223407C06487613C44386630EB757E89549AD0CEA22DF9AB41D11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:48.307{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9688060E300F059BEFF8E2D662825454,SHA256=0D1198BD1CCB841613268D30F18F2A92FECB66ECAE8D5A6FC33C619EAE1833E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:48.026{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23CB91FECE704A651E954FC509406DA,SHA256=2DAA667DC79D26BFC82C5C0EEDF0A32B5D043C8E3C1105C139EDCB47986AB864,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:49.767{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258C1D83BDCDB08ACCAC2FBE45BE15D3,SHA256=C1A943EFB3D26CE8DD3454B5881E78CB35B2149277D847A6769CF4F80DCE8C15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:49.526{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F8FFA4DD301121BF84F881987F6E87,SHA256=44CCF9F0EE4AFA7CA437E1BB9AA65D431F27007DA633F13C2AF9252E9A674659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:49.526{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A6A4CE1FE0180E89A595AB82046044,SHA256=0609DF3EE2BB909138E2C14A20CF7707432ACC59DBCCC142E3EDEFB4CC144AEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:50.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E411AAF7B1A3A60665C234AE5BC1944,SHA256=FF41C8E9DA5046CF8F6B791B75BA04FF05A65784F945E307B37E52B322C70D9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:50.745{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEF1F780993954687A26886A5FC94EF,SHA256=8377CB52E824D20A9C4C93190C438E8760BD556DD2E3F02EE089AFAC7CD2EE34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:51.834{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0660DF3DBF0A274411BF971847D14B4D,SHA256=05B89C4AFAC34ADDD3D1B8AE4A62B3C1E6F1104D0A1312DB7541341402F165FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:47.919{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53845-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:51.823{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EBABEDA67C543461B93FC450A3F2B52,SHA256=C7BA1D264C3D2297BF482E121B37EDA9C33C178B8EAA19710E4503EA49D5604B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:51.745{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD61382105A70D4F0BFFB19FA6A6778,SHA256=74C0045127DE081F25479A14B91EF0D0F3903A9CDBE866162BA1F6272DCBDA89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:51.182{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E995ABB48DDF96ABEABBBF588F5BA9FC,SHA256=8EF95EE5A9416E9AF8B91AE9652C49B5EAE8FB17949AB839D4FC7FAD73E11911,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:52.864{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED09818C6B17807AE8D2D9B892C0A0D6,SHA256=A1D0400736075D4A466F2F7D84C8FF63247C132F8BE7ADDDEE0F712565290EE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:52.964{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D166643C31696F7BEC59DDBA0CB236F,SHA256=D97C9C94428911EF03D507E9E28D84EB7224CB60FA7AF90B5E09125EBF3F9B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:52.792{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245717ED39FDC78AA8231D796416B9C1,SHA256=0CF9F7216C8652F6A7696081C7517BA68A705DD770EEE3A49B21A525079B770C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:57.119{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58914-false10.0.1.12-8000- 23542300x800000000000000030726104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:53.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5110504DDA02B742B1F0AF867FF00B,SHA256=74B1DB495B01B89103F1F65CAE196A8E51791B6F86DACDAD2B7C484D3BC8E016,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:53.807{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADFE4ECFC6A31F12B06C5CB568A2DAB,SHA256=752DB1CF1A0B98523B61D91A3DBF57DEE69AD2DE187AEB0DD3A9BCC56C1168E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:54.894{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FE7DC3EC9597139AF0C15C0C560BDF,SHA256=33AEBDA4C3BF739357C882C0098FA280B37C8D30FF52EB7FCEF6EF01F54B7592,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:54.807{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3F93422722C14096DAF4EFBC56B4D7,SHA256=95D7BF5CE4C933885AFBC0DDD83FACDFA15CC2354AAB55C920A1DEA006554C09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:54.245{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B109F4EFD4D944D79D10E27D20F3D5F,SHA256=F539F7BEC92BEC9D21E37162514430E1FF069C0DBBE3FB259B81B6BCCD375AC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:55.911{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F583322DFC7139DC5218B73DBB40FCF0,SHA256=A8FA74FFDF2A6B8EBF9949181C43F63267939D319A5CB41C8F8DD259C7C4B553,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:55.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405EA74AB9709D3E3A49055F9510B02C,SHA256=A5D9E6152C9905CA04F65161615C641839674A5E3A87FBFDBB06BCFA1C7EDC7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:55.495{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C28EA53AE745FB9705386739F0598BB,SHA256=205FE5631ECF65728BABAF7B654D1841E7B7D9AE7ACD75D5AEC2CE1A6EDFEB5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:56.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6BB54B78CC94716F444DB394A09EFE,SHA256=F7E89F26F90E259FF323A158907720EA8BE73DD5F802F7BCABA75BF7CBDCC641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:56.984{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171B231126CC41ACD058E8C64431F636,SHA256=6CD00A938A8584752B5E7C0C383A7636C0176DD4CDF2E5857797C320008680FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:56.671{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B9458A520499CB17D29259DD031E63,SHA256=1225CA599260EDE129B383FCFAB47B4846AA8C38E3390B8B64C48B1388873C37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:57.959{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958B3ACF9F096EC068826B7889FA65F5,SHA256=DF94528CB3A15A85D31E45D73CE689293846AB8EF33345CF0B93E001F691DC75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.040{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58915-false10.0.1.12-8000- 354300x800000000000000047958294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:52.765{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53846-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000047958293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:52.765{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53846-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000030726110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:58.991{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6009C54DC44C352141DBFF6CB34A759,SHA256=8E9B654963FC7462D99FD20BBB7CC56433522F2DD751E7CCCEA7BE4EE33D34DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:58.156{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF83F3E2324815A20BCA4F470D4668CD,SHA256=E359BB2C4BDE1C8500DA3926D57453BB729CCF0E42195759352FE60037C77809,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:53.924{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53847-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:58.015{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361BD92B86DA3F39F2B29DDEE4577838,SHA256=FA21662E5C2B8F6A72A470EF14FC035D811493E8C875472B829EF7000219258D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:30:59.991{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE3AC83E4CED75D178E6851A65876BB,SHA256=295DE122DE79218549884D1F89CB4767438290FBDD9E8629B8095E8AD5B80586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:59.218{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0953D4A1BE344BD46F8E66BEED98ABCD,SHA256=6606A868C8C15AE2CBDD56575E0CE53887B70D2B380E8D4E73D6182705A4269A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:59.203{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACE3E8134479C4CB3F79E6D61990422,SHA256=89D1CD3E1EE1E2A668967C730F1B1810557228001936B547163D8399606D332C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:00.343{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA8AF4CF8BDD0741FC24780283779169,SHA256=1C4F27E9A93EDE0537E472EB6DB82A125AF096B0AC8015EF064081B1299F4271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:00.218{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF643164F14FA1ABCB2A9C0AA87A4CDB,SHA256=79040BEA5353C9E3EA2AB052355E4CD43D62BDFDAE29333A724054E6CA598261,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:00.375{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000030726112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:00.180{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B3512E5ED2F3E003F242EF447015EDAC,SHA256=323E7EEB88C493671B0BB06534A2D9F404B2040DD69D2671303D16E370AEAE93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:01.406{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BEDD270380F2EAA3041C888111947B1,SHA256=5C59B1DB295062365896DA66BEB8ED6342C304BAF7853F10B5F3FBDC65B1F762,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:01.218{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BE3DAD760D31F4D8F74211E1EE1B46,SHA256=7166A05CA886ED22CC88C15908A08B67A26A701F8E6D77E85FA1320CB94CEA34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:01.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351BF2368A25329EF400058DA897BA9E,SHA256=BF5DC2F97886706DE4DEC872BAA002ACCD945AA78A13A15CA95229DB4FD8C86D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:02.624{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A9BB15A46C3429554494773D38FAE42,SHA256=223CB95220FE0250802E936F5BEA72F2378C8FF2473A71E77B284B43724795BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:58.228{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98758916-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000047958304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:02.234{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F056334346B67858620B6DC4389D640,SHA256=17D5551307E8EAF418FBFE34657CDC6E002787722E79B4E2E8FA44B11A4F1FF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:07.310{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58916-false10.0.1.14WIN-DC-128445microsoft-ds 23542300x800000000000000030726115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:02.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E166FA9638A3550CBF0CAA372A1501D4,SHA256=143C91EC85786AE7F92F4FF246125A2E791B4C9DB001E1A27E1C48EEB0A67389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:03.856{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F24E35679AB924C4F52C6739DBA80BD,SHA256=B95632EEA487714D2F25A853B969532112600CE5596A115C64CEAAF24FE0AE85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:30:58.971{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53848-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:03.249{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A4D7CF82C434F65127FCAD289F8017,SHA256=99EB63616ACB6938DE05FDB4B942F1F22113210C4BC2A7773F761FC050D52AC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.872{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6517-6125-8C00-01000000C801}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.872{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.872{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.872{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.872{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.872{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6517-6125-8C00-01000000C801}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.872{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6517-6125-8C00-01000000C801}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.857{B81B27B7-6517-6125-8C00-01000000C801}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:03.073{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3FC9DC25C6E3BADC0E26F04DC7651D,SHA256=ACFD2678F023D62E13CD9BC30424BC3E587F8B0D38F5DCD94E8A954DE04B278F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:04.262{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8962B75058A9B54D32812DEF443DEE,SHA256=375DDDDD550444616D512ECB86CEC2E6467BA16E382001D7D7B732BC5149754A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.891{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B958ADD604367480DD0D9AC12F5869,SHA256=C6977DD939015579E0C1D9CD84F3260D1D95E48CF2C259E31A7A73E08E6EFAD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085DCE19E0D02BF24D946A858F5A9B71,SHA256=71D53E5B113286B09842D093BBA6B0CB6AF2BC8FBB531EEF7F50F67FD1962FEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.723{B81B27B7-6518-6125-8D00-01000000C801}35685376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.554{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6518-6125-8D00-01000000C801}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.554{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.554{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.554{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.554{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.554{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6518-6125-8D00-01000000C801}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.539{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6518-6125-8D00-01000000C801}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.539{B81B27B7-6518-6125-8D00-01000000C801}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:04.087{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379B23ED677959212D265DC48DB8688B,SHA256=2D099C30FEB29FC1F86E6840744183698B6DEBF87E1AE38E0220E6E0A02C388E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:08.958{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58917-false10.0.1.12-8000- 354300x800000000000000047958314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:01.874{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53849-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047958313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:01.874{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53849-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047958312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:05.296{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC24842C9DAA4BBB60D3EC4689D22041,SHA256=48F66A33AF9A49B266283E3D7EAE49FA6876253A32A875084AF04016419F458A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:05.122{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B51B6335E22EAD4BF58E548BB487B,SHA256=5268D5970BC8C2F76346547C94CEA29063657F92A33074332AF3D6E5A03D405F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:05.015{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A97AD5271752EF3F57CCDB17427A207,SHA256=44EB23620B152D05CE2F52B16838DA91B3978D7FAFC98403875F895504110BA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:06.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AE35BC6A4FC6DD898FFFD52919C15C,SHA256=B5BCD5A7ADF1A29648BB1D3A210A94895103FB1AF7E23DFC93272D70328AD207,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:06.703{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E178F9D719542CAF155FDCC9D952ED69,SHA256=EDEB37D5B399645E20F8A4AA04875564426F97D56BD6632CE3800DF0273C598D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:06.296{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075018BF8C36A232BF8A4C5776A1210F,SHA256=6B41B5EE3C151B7265EB3AD7FD796707C3B5D2A37C1768B939B7E419A00CB1A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:07.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E430E08886EA874957E38BBACA8A13D5,SHA256=E44225E067FFD7241E0415FC96E9350CBB07CD600F8C4DDC0F98E05ABE45BCF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:07.298{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E450755A0E22D57ABC51767D0C39B17,SHA256=A7F6B82D5B65C5CFCB123604AEBF9ACA0C6963BD619876313294F2F7335B8D1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:07.167{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD621B1368B278A91AD92C083A292986,SHA256=81912EC9517D332A9204A94D31363967034F403086538D6F17BA2E6F9145E7BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:14.083{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58918-false10.0.1.12-8000- 23542300x800000000000000030726142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:08.185{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3ECDA71CD837661EE4320B84EA6BA8,SHA256=22C8572DE97D94C30070091B45B3F66F91518474FECF8FCED6B8E1033BDAF419,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:08.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099922F16A71E6B7358A7324FD41AACC,SHA256=A7A4FA2560425A05739739278E34B5E4F93D9D847C5938A835DFAE8265EB66A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:04.877{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53850-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:08.328{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE74120B1922B2316203DADBE01E912C,SHA256=3F03C7BF7A0FB70197407282CCEE230F0C83E44300735259317C583E6026BBFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:09.234{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD221A4CFE4FF843AFBD54306C9D0DAB,SHA256=9A3B9B4F17D577BE4AED0F879D3850D60554F1F1DFD44677CF97F06C33ED4AF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:09.343{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08ED56E01C65DE351268727D57931B2,SHA256=911047685D6BC29E73C8E608A00DC000BDD295AC071A7AB8EF9C744A67B7BE72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:10.343{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5585E1725480851A572183C4CADD4A2,SHA256=466B5016EF9EB5E29F0916DF3A800E1897C69A837B2CFB6F46FAC46A7074B922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:10.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0A93B3774836651FF53D0D573D8C16,SHA256=696F2C01A62179945372C333A4959FB76DB08E4A69463A62A926A4FBB17636ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:10.078{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE7F1E215E661D21B7A1AC955282C918,SHA256=7FB9C07760C14B6D02A1790147B1DB65FFFB571BE07AEE0E62188C6DBAE5E041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:11.703{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:11.359{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB8EB21DD80B75A313B75D3C82B62C0,SHA256=FF065D47F0763F376E9297C22A5BAC5B4603AC5BD7EABAF6CE38EC1BCCF09D38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:11.300{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95AB81B696976F458164339785451A0,SHA256=C15E827519C4852C23CFD4980FEAA3D1B21D5E9536859366275B5041ED3AE1D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:11.250{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E97D744D156A26A4810EB4E950136935,SHA256=0E09517D555A25FE8F6A90E30766D2CFBC17F17F2F58F2CE24411411CC0840CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:12.331{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82AD339664CFCCC3BD7DF1C1763E320,SHA256=4F694C6C905DB370887ECA9736F9E3C09C8267C9AF1E95FE43F79C27BD01B5C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:12.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27EAFD1A83238384AB4392D90B40FAB9,SHA256=CD8E5B6C3D041E0E69A5A889AB095D301489AF62C86090F542BEFDA0B69C747A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:12.375{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEF495120BBDA6023D56F6F86A48A0B,SHA256=924481859275989EC2DC2A4AA26E39856B7E1602F965953F56FF9DA5D11EB651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.882{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6521-6125-8F00-01000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.882{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.882{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.882{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.882{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.882{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6521-6125-8F00-01000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.882{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6521-6125-8F00-01000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.861{B81B27B7-6521-6125-8F00-01000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FD60F10C6A922843E6D5F8DB61DE40,SHA256=AB0113303B35F5EC216EF391891C38DCD15E4449EDE2401A516A3ED599895597,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:13.843{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=330EF2AB113127C1789C575F6D6BFA3D,SHA256=D20618B61EB923D19750C2BA8F24F89F88C651C93EEF111795809871EC8AE7BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:09.534{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53851-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047958330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:13.406{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D890D115833249308D6057095115FB,SHA256=BF978CB8F026B4BAF1524BA65C2C01DB3D9406B3304CF8124E9437F93629E859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.345{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6521-6125-8E00-01000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.345{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.345{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.345{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.345{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.345{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6521-6125-8E00-01000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.345{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6521-6125-8E00-01000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:13.330{B81B27B7-6521-6125-8E00-01000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:14.429{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85297DAD2FD05E3806C3605169B68032,SHA256=88B0DB7EF152B1CE0B5E8B5619C8E362130304CD3E3ED49BF1108635B151F5A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:14.429{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B958ADD604367480DD0D9AC12F5869,SHA256=C6977DD939015579E0C1D9CD84F3260D1D95E48CF2C259E31A7A73E08E6EFAD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:14.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD467CB59CCFC0E61E6F04D0352AB79,SHA256=23CD5B896FC88CB08F2947488087E21BB209B5B44206EA750A652F787EE1BDA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:10.033{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53852-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:14.437{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16116C6188444A49AC71CC216854FD97,SHA256=E1F622FEF293F1BD4966651A2327CFFED87EBCACA44BDF8395EA73CCEEF070E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:14.029{B81B27B7-6521-6125-8F00-01000000C801}52564056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047958336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:15.453{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB26ACCBDA253EA55D108231C6C7AF1,SHA256=F01D6448F7496F596AABE25673C4009952D8F83E4F6BA733D013B92EE35D5C4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:15.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3276068232B3097E1324145FF20FC68E,SHA256=9560A784951ED0F447A5BBB64FC5B853782C7439E9B8109A1EBAC32B99319798,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:19.977{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58919-false10.0.1.12-8000- 23542300x800000000000000047958335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:15.125{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59CE5023E3F100AA5A033CEB64AD7827,SHA256=229424636651A5A4E66D98C226D0D1317800A6865F6D9581FD59A8CD456A4052,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:16.704{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEE46EF1B3A616F4A44D691A0CF48A95,SHA256=D10E7394C9EDAA5B212506BDD2675500ABB2A5F148B2495814A17C5A6DF1A348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:16.454{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E287AD21EDB23A3C58A8EFD8B51A11E,SHA256=A2C3BBBF38124CFA19F4460002D48C2EBB31C827870D2E51D13B3CC4CECCFC97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:16.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CB4F63EDE9C44DA1FD74502E49D344,SHA256=0A576F0B072132DC065504F02B2906C01EDAAFCF8224D5E2A3FA616A48FD50AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:17.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F274A166C247D54EF9048C9ED40B35,SHA256=F0617A4E6B71CE87A1F8B831C7C480F9DBF70B18FAEE473133EAB35FABA5F13A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:17.782{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=356B1650952168E588BE14B7CC381A9B,SHA256=B6A43DF880BAE4FFA30D05F68C116E5E4C48AF055E0B3FB77B4412F83C757606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:17.469{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859965AF89087BDECE5403C256BEAEC6,SHA256=D28498E12C1CF5669B0DFD326BCBE4FEC50DEEE56317A6063958CAFB33E32D1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:18.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52DDB9EACE151BAF36A891229EC3AA9,SHA256=2F387823EB4D38737FFB164F4B26C565D020066A24FCF5E4FC0C3A6506DFE97C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:18.891{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ED33A15A8A2F08489BC9B43F1CFF1B9,SHA256=5C7DF06452118BE384C91606FF90C2C0DECB0FB90E1957ACC2752D07C70E4E50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:18.485{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C95BE01BF388A7A301AB368621EC43,SHA256=445E4ADB43C48E51030589B5A5ACA127CA3D7DD8EAF0145C9128565803633690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:19.549{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6E7409D227A7847B79C30F7C8B7576,SHA256=6F16E1185E819469E71758DAE5B5F42609C93C9E2815AC65336B1CD4EE1F1F50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:19.516{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3927B430742DE687DA688F12E75468B,SHA256=F6138C77C4DDAA4E85BA5709A49E8815E8DD07618B7A9458E67BF1F217D650EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:19.334{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:20.532{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2AE8A0BDCEA15FB4C9B0CD9ACD7DF6,SHA256=5803C27F256A93A6874548CE3DF79FB4E84789D643C42C97E37063AF30495CD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.916{B81B27B7-6528-6125-9100-01000000C801}12245760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.748{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6528-6125-9100-01000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.748{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.748{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.748{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.748{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.748{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6528-6125-9100-01000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.748{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6528-6125-9100-01000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.733{B81B27B7-6528-6125-9100-01000000C801}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.585{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A955930FB88564E39B063480D07B491,SHA256=C3F4252A8265CD70B519C649A9A9EEE6A87C3C94DE09B68FD154C4FFC652AEB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:25.083{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58920-false10.0.1.12-8000- 10341000x800000000000000030726184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.248{B81B27B7-6528-6125-9000-01000000C801}6676828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.064{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6528-6125-9000-01000000C801}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.062{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.062{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.062{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.062{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.062{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6528-6125-9000-01000000C801}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.062{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6528-6125-9000-01000000C801}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:20.034{B81B27B7-6528-6125-9000-01000000C801}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:20.469{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9453DE4095E8FCB6E24F3EC08B7055A8,SHA256=6D7E5069679EBE6E3386CD484CFA79B9A11CB80A70197D77B25B2E3F21F39666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:15.878{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53853-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:20.157{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=088A2A7B53502952BC9CF7DF98AE18BF,SHA256=38C5BDA6750D8696E93BF547F735AA215ECACD8EACA7FA0344A91D719E44908A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:21.548{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DF61323A5D71F65137AEF784FFA858,SHA256=D9EF4EF965022D18E68ECA3CB1C0134C68612BE5E242EB78C502C01B12EFAE7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:21.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83E579556803EA34881C7B776688AC4,SHA256=96310B3AD2FBEDDD6E25E90255758705C66405B75E838D5E946F3F6663557F68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:21.407{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC5B899AAACEA5990772835D77F5F21B,SHA256=3210CC75FC0411E8D2A9EFFFDF6232A6DA44474DABD53648D83BF1A03B43C4E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:26.250{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58921-false10.0.1.12-8089- 23542300x800000000000000030726197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:21.063{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0912E58AD7D824E572B6B1BA037C13D,SHA256=1E800DC0FBF0D2AFE7DCAB66E5E97EEC7E67C7DED72C82B19EB65EEAA93AD2FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:21.063{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85297DAD2FD05E3806C3605169B68032,SHA256=88B0DB7EF152B1CE0B5E8B5619C8E362130304CD3E3ED49BF1108635B151F5A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:22.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1999A7E83A812A945A451D917ED13D3,SHA256=EA1C8D203A1548B01ABCD1B3BCB513E854C216AC6C51B0FE50B404D7F8A91798,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:22.985{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD008B89493834C723E29DE446A2CA31,SHA256=6D6F68B61E6AB901D6EE3CCCA8076922E69E7D88610E33BE26464A587DAE7908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:22.563{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCC7F0B871D5450FC1B4ABA29BB3D47,SHA256=EB503243A159A585DE8D7CE3E72A8A6A0FCB411D1C54BF4DF167BA91730EE323,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5ACC50A747618FE4E77331B2FBDE68,SHA256=14B7AA48BFA070A8B59065AF34459F6DEF9744461378198777014F3642AAE44D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:23.563{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425B80CC03E119BA1D72C294C269A82B,SHA256=5C20F73E4EC8851D3D7242214618F5003934F24AF21B307C727031E71199414C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.114{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-652B-6125-9200-01000000C801}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.114{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.114{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.114{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.114{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.114{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-652B-6125-9200-01000000C801}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.114{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-652B-6125-9200-01000000C801}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:23.099{B81B27B7-652B-6125-9200-01000000C801}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:24.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9523375445496FF54A08097E42D80A3B,SHA256=30C350C8D63AF393C4E941ADE426860FF37B305A652BCA4721E89E42E7005F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:24.579{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FB7520A2AE0C68C256B73AD0F89825,SHA256=E2731FD65C2A658819811EA7E5154648CE35C86CA7EB10D3A18B1DE2F450E371,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:24.139{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0912E58AD7D824E572B6B1BA037C13D,SHA256=1E800DC0FBF0D2AFE7DCAB66E5E97EEC7E67C7DED72C82B19EB65EEAA93AD2FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:24.079{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DC27C6E2AF45390966F7B1B1BAC9645,SHA256=575394949F9170C8FD114B219E7AA745845884280E92F5AAF81E3990133CEE0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:25.675{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A42BF5B49AEA4CCACF32D2FEDC0205,SHA256=AD72D6B7350BF77A94FDADE1F810EC224E49B8E71C90DB54C05B2C8D60A83606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:25.594{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B0694800F2DCC95A1EC93B5E7BC953,SHA256=992B54742BBF9F9565CEC571657829D7F4C48FC82A866A9BE95BAA19FC8E7E2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:30.146{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58922-false10.0.1.12-8000- 23542300x800000000000000047958356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:25.329{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BE7F2EE2EF6DE392AED7D61FEB1CF31,SHA256=A2C568C080546F4D6978C07A97F9C303DEA273701F68B67CEFAD4989D0FF4E8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:20.925{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53854-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:26.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CA2688E1CF5D1A673ADEEC8CE2EFE3,SHA256=B211521C2060C36340A8C26AEEF0E02F7DDE37407A55A9D081B4A60A381D4EF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:26.829{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2848C8FC15084897CBA0A10DBCD00C8F,SHA256=377318030B71D63BB704B55631AFD1E8CF980BA530E884E16A476EE3084D0A20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:26.610{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75044E2DADCCD0A06C47CAAB27EF4A28,SHA256=B10092736B029CE60EE3FADC50319558F343788205C71AD4754E161086FC6949,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:27.705{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF51AE420B10AC2B3AA38B639FDF7B3,SHA256=C1E191D1148F7E392ADD631BE68A4BBD2B215378C45C044FF039CA81F2539DB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:27.938{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31673B7A5C7BF0A2F9ACE011E2E9B2A0,SHA256=42318DAB140D61A249DC0AE67703ABDCFBFF84B1AD861B55906297EAF9BCD9B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:27.610{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F906694AE2EEF38FE9CF567ED64AE2BD,SHA256=BB6DCC806E97D086C8DC754D440E0DE848EBFB033AE0A7D6C1B083F3E6737C0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:28.735{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99D5C7B7D3BE634C9F386BC5AD3FB06,SHA256=53ADB8421CA8D46472568C5A1BA3C95F38FAFC43EF964B0260A5FF05897E09A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:28.626{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01F38E66A447AB662F73352D04D2B59,SHA256=8728C5FDFCD15223CBF3C7158727950373A5158A64FFCFE4338F93103FB794B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:29.752{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD3563CDCCD4D049E7D6876DD8CEBBF,SHA256=18351511F14C4991FBCC082D8BE390D60C059E88C9550B575B196C5A95AE72B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:29.641{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD12EA9296C95FA316CB2CFC0707944A,SHA256=C918F3B2A688976A3DC2514BE6E4B1549293C45ABE0CFBC6961D6A8BB7874F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:29.110{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D310490D291411AA7789D49A63636E8,SHA256=B9F5CEF6A5A6BD80CE939D47CDEB9123756F52D697F165D1AB8E2F0A8735BBF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:30.756{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327AD211F79E915DF21301FC1BCC0A30,SHA256=DC5CE72C76761F72118D2D271CF4256EA08D03DF69C5B41DE48F9A807A0F3784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:30.657{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9436A591F746EBF3553A939D32A9E7B5,SHA256=701ADCDCA1D58C793410D65F30E37BF3D26061F6D7E45BCE54399AF8CA55F620,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:26.956{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53855-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:30.110{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0691167AD2517A5AF541545A37DD5B7D,SHA256=38E298C586BAAE91B6D508C3F070291811DFD01DC2D763BAD1C47EE3A141B576,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:31.770{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116E4F55756D71F5B2076EACE0C38159,SHA256=8CB148A9FB19B677E006E067E1F244B3A1DE974E4203385014C792E978358C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:31.688{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86940DC07FB61A95AA21DCD203B0742D,SHA256=A06EEC5B800FB57B3E42EF863EB7776CFCB88026458AEE6E7F6740F6DA455F20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:36.135{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58923-false10.0.1.12-8000- 23542300x800000000000000047958368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:31.313{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4B7AA31620593A60CACC86A0071BA0,SHA256=D0DC7C04C0A143A76A874D6C3065901349D4B729D70F10AEE2BA215702080B05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:32.704{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0A5C1161A53797190569834EBFC96,SHA256=85E2C812C0FEB2FB465C9D7922070A8064BCB63BE7A3BACFE385CEB3658F1A3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:32.816{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D81E257FA9863F9AD762BB808A365E,SHA256=FF3C6AA4781B4CB1EF291F1E771063E9B6AB173CBB151DAF1EC1BBD82367B246,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:32.565{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15DA7D65EB98B2BEE8EF84BA61093D0A,SHA256=8F03784D4B9D84302CC3F41B911A8EF20979AC3D35C1BFA88EFC27C097283DD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:33.923{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637B86DA922CFBB3804DA5BC721F1DB1,SHA256=8AB1293EA291C5E7A84D7C6B6C535870EED8F2C5F127820BB5764EC70072232C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:33.735{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A886092450D26923FC2BE4BDF70D8E,SHA256=2A59F2C41AEED3550FA46AC15D399ED64F3439BF20BAC3E35A83328691807C2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:33.830{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA22E5CFB3161A9A97255BAC9EA016,SHA256=1A535B53D47C928156B813E912F98D50831B7AE5C2053CAC2CD93313DB584525,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:34.847{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378914B42C74770ED01C92BE8189AB97,SHA256=21FAEE31CE61817DA145B6E84980C6CAEFD3197292DEAB6F4079C5E61F428447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:34.751{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD66A19B3A71712BA242BD8543904E4,SHA256=CDEC57DC8334EB963DF65EAF3B4059E9BE9A1BAA37C2C3A1A15975C61781DF88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:35.866{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0038008786AE65C2E5BCF732D2C3A3E,SHA256=6BC637306F053F6532F2D497E7FE00CA9FBDCA5D64D7122AB881197DEB3EBCDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:35.782{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773CD5748A34E31F64AEA80162469E8A,SHA256=FE3ACAB20C95D7F4BD9EF600E50415B56E42A4D4B3CACD4C330F320DD35B9CC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:32.068{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53856-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:35.063{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ED60D74070C8E2176B682D396C17365,SHA256=EA6DDA34016F282ADEA171C185D98F8C2FDBF0CFF484197054DA1127AA0AF166,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:36.912{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296ADB4D4744CE4ACFAFB0E36F5381E8,SHA256=99DDF6B1A56E6AACF846206881C10EC31F34D6E3ADFAE02642800128D5A7928D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:36.787{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BC30A800F6709CBB30BBFB7E48132F,SHA256=304C897E5BDEFA55476E694C345A2BE4CBA23AA1C14964B3AA8B1D8439B659B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:41.162{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58924-false10.0.1.12-8000- 23542300x800000000000000047958378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:36.427{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB06FD1CD262FAF4569C829CAEF4416D,SHA256=2ECDE6D76850B815181C8D88B2483253DC2910B290DB280FC295BAD616FF1CB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:37.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C05CD3B8513DBE77101DEBB13E13A25,SHA256=562F710DE0C45D49DB56701AC1B16D94BDF26C86448D977B6A809FFFA2833A07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:37.818{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E442EF17E556470F9708CACAD9493C10,SHA256=3E60C752F057FEB137DFFCD0019466B2925036FA894F67D4601624AED86F5DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:37.459{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C459FD9C2E157693EF8155388DC4A615,SHA256=6EFD48F476F0FB5FB7896303AD12646B799169F69F180ABB076F2920957973AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:38.880{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BA00E7D957C8EF10D57108998A27CE,SHA256=1D2701F63F3F0DE11A79792386809F002D59DF06FA45846753134FEF5854A987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:38.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E842E703116ECF4E3BD152ADAEF0CD48,SHA256=F60EFA97D8CEC71298782FDE7A45E946C793B9F0EB8C00919A8CF00300729753,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:38.709{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B6E14DACEBDF35179CB6BECE0B19923,SHA256=FE8381A1D755B84B17807E396D2441E5653D732365058C77F1106800ABE17153,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:39.912{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93ECFC75B8D82057B8720775370DA22D,SHA256=C07379A0666F911108E795597C3C9544EC24F225798D625BC1E45A3E6D97F93B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:39.994{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DDA6E42AAC61F28D67048EEB246B94,SHA256=BD09181973C2C658BD96D1BA9039C192C6A8AF3A24359AA9F71B159F1B76E31A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:40.912{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27C9583BB750633874FEB5D7281E8C0,SHA256=41E0C0FAB0F8F8ED3F02A4715810E567F4C64B06AE4419D683A5D4828A11921A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:40.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E314E891B0C47FF64A6DA8BE0E8C6CB6,SHA256=6BD3CA4B7A546FCF7E13B1287265A5526CCE8D93ED9AAE311E2C741BE4E41252,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:39.990{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=456B6C1A46D102EC5CA2972E4931E743,SHA256=E77D690FD48E4E3F24A251016673CC9A8BB2B5F52C0E88816F1416587C4061A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:41.943{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1218779AEEF8F5DC1F665912B3F0063,SHA256=D3A5DD9FFF271FC28E26885E3343F4A19778F0B48B0AC216F1B540676AC5FE0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:41.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DA9AEFA3770B674BB6FEA0B940D26A5,SHA256=23316D738EE2AACA1FF905101D0F602BE1B75BBFFBB2350293567BE2D7F63DBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:42.959{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE0A56FCB6C047A518B51ADD868BA48,SHA256=259B3DCDBB939E0091FABE6E6BACAC2EC3CE88AB14A77A1BE8CE3CD7EBFDCCDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:47.126{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58925-false10.0.1.12-8000- 23542300x800000000000000030726231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:42.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43CAC14CCC5F8807FD9F278539AAF93,SHA256=B5ABF7190CC22775D393AC7ECFEEC7E9783A5AE6A58C6C894379CD4BC0AEC61D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:38.070{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53857-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:42.459{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=845F79292AEBC00C4F0412F4AFA79E5F,SHA256=7FB52867B54070233E783C763C587A99987D5EAFD7A089D45CBBF777364AC457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:43.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D53191219984526025240251508A5C,SHA256=58AFCD1DF464D9D9D6DB739D5EFCB9E0C186D8E8B24256FD567E86CD8595773D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047958447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.585{3BF36828-653F-6125-7DF4-00000000CA01}61282588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.585{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.585{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047958444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.443{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047958435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047958420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047958408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047958405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047958399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.427{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.412{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:43.412{3BF36828-653F-6125-7DF4-00000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:44.040{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0458A7ADC6593A701952F87DE0840586,SHA256=0D819D282C9B44A3F7406C3CB72E4CDFD036F1D269936BFCCB6B482FCE3D3A8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.990{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047958568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.990{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.990{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047958566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.943{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAEF20FED0891C1E004CB5ED3D196DE,SHA256=19C6E7FBF23588628803F8D305446C94429DF1FFB184C04D345DD654C81D17FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.818{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047958556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047958535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047958531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047958530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047958529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047958528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047958525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047958522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047958518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.802{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.787{3BF36828-6540-6125-7FF4-00000000CA01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.584{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D97E3307AB76606C9460F92A6EB8CFD2,SHA256=16F1054034321C292D9271884AC213D592EBAE14D55B7B12474FDC09E4D00EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.490{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AE17650AAF9107B4F26AE5B1FC3DF39,SHA256=8A193D8748C044C51039B6A693CFDF215A99AD1BCAF4BAB745A78AB7DF98754A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B23D2E87D85E191C52A46A368206148,SHA256=4F3325E081402820D1BE31F51226E64825C839B1D05E5E9DAE3A1C1D31555A80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.271{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047958504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.271{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.271{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047958502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.224{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81499D08DA7456F3FE1BBCCABFB77717,SHA256=41EAA17EBBBD71638ADE1CF5CA53768D8B60E7C60294430F1815956D2372A045,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.224{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FD4BDEAB6DBCE7975A0A804E759E7EE,SHA256=344993DB1D59C1251A90C68EFC4FEDBFCC6351960FE1B59C13A18EE4466233B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.130{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.130{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.130{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.130{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.130{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.130{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.130{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.130{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047958466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047958465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x800000000000000047958464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047958461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047958455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.115{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.100{3BF36828-6540-6125-7EF4-00000000CA01}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:45.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA05F5012AFA7A87DC0D86F69BF8D8AB,SHA256=C8FD75936B1A06685A32E9523209A52F27D750D672AC4FDFB5118C427054F6A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.943{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC19A0A71BC1A5BE89A35FF72CD4E25F,SHA256=303B700207816E405DFFEA385C9868945922EAEF3A9DEE850FEB295DAC456000,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.880{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C5BE683D68B9102564246E7BB0E1D4,SHA256=003F25C746831941B113C385B7E9B656C8E9D5910D0D0D6C76E5E7ABC133AA36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.646{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047958628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.646{3BF36828-6541-6125-80F4-00000000CA01}2760804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.646{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.646{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047958625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.505{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.505{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.505{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.505{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.505{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.505{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.505{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.505{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047958590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047958587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047958583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.490{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.475{3BF36828-6541-6125-80F4-00000000CA01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.255{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B04F574912C828CF0D109252E76FABC3,SHA256=BDE147577BA6476B7CA776027069802DD062746703AAAD89977CD2B75D4D7C61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.177{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFDA2AE5E1E742F0FC4D0E54CE8CDAF,SHA256=3925BC67ADBDE0931E8497B9908B90650ABA7A4208C86FE0B277799FB26DFC6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.130{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCFDA8A2458C03745356DDF0F0D9829,SHA256=58FE7655CA2E7AE1010B7330BE9E38AD9E421D98DFDAB5E1037934AC007AC2CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:45.084{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371656B9F3A6CF6ABC2629578F4B90FA,SHA256=7210C055AB80AE3FB602E4A81791CA13F97A803697B26308DDD8D50808FE8531,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:46.088{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E32BDE836E0785F902023C0D4E945DE,SHA256=DA268367AB42AF252974B31D57B714234C27DFF01D175C9F32D2337A02D9097A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.943{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047958747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.943{3BF36828-6542-6125-82F4-00000000CA01}11484580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.943{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.943{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047958744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.787{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.787{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.787{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.787{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.787{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.787{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.787{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.787{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047958709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047958706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047958701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.771{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.757{3BF36828-6542-6125-82F4-00000000CA01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.474{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDED07487EEF3EFA38A1A1FC346AC202,SHA256=6E29603011E93DD2606CA113AF13F70C9DEBB8D4A6A6AE12A1D5A244391EC42F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDAC323482A57E55EB992BCC32642BE,SHA256=523545B35776C660B20F73DCC179AB1B7A0044CB99E922FC7E93C7DC5EE85BCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.365{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047958689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.365{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.365{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047958687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61664CE85B833BBAA45744FE9BD44048,SHA256=AE995BABD4CA9F198385D87C8276C7092AC32DFEECB51CE7186D3F5EA6EABF12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.224{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01BE9122C5CB93CC7F3ECF73BD9CF73F,SHA256=9D840453B6B11D27BC0D27DF797C5F9F13E887A128A6D450C529FCC736C9F368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.193{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.193{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.193{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.193{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.193{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.193{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.193{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047958672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047958653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047958649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047958646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047958642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.177{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.162{3BF36828-6542-6125-81F4-00000000CA01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:46.146{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFA22126DD8E702F488C17B7EB9DA02,SHA256=FBD4F0A059328F4F49672839CC0ED4CA2167EBB3653C08F4D78C450D204846CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:47.103{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963F2BB3E5D40EB66E7829285668CA8D,SHA256=4A5383B0A77013F9AA039166C32096AFCEF79D8F9E73D727B6906124D7E6421A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.927{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876BFEE0CE266A780437AF7461C80F4F,SHA256=1AC5BB50F738DF751221CE87C68B74612B1BA282FA227A8F70A0048DBE0AAA49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.865{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96F82AAB0BA80236B626824E7B0BB42E,SHA256=2CB079211B007DCBF4C4DF8110E5C3AF6F234BD05B666F3533FC13BD70795760,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.771{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B473BC40DCCEF0D07D3B6B853682F17D,SHA256=A1CDF140849DF68E749A8CA69DBD0C17B111AB5AF6C21A1B3667D1748AD39E9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.709{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5275F66C725D60A2BC90B59964CC8CEE,SHA256=10AF9B5F3F3DCBF9AB49D5F2068E363DB234D6281F4A240DAB594EAB32E36148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:44.008{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53858-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.646{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027B083C2E3B46DA48040C9DDF7FEF78,SHA256=D2A87C5FF88B283284B5950DF195201D14F197C9A1D26E2C8A52E30CD497B356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.521{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047958809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.521{3BF36828-6543-6125-83F4-00000000CA01}81772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.505{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047958807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.505{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047958806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.380{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.380{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.380{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.380{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.380{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.380{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.380{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.380{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047958773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047958770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047958767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047958764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047958761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.365{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.355{3BF36828-6543-6125-83F4-00000000CA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.349{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=587220504BA4114F5B0D5B19A089434C,SHA256=078C00783AC799B02A83B1655027013BDBE4C9318E95AD5338AE6289DBB31BBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.255{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7C2FA9CD194B94A0E63AC117B2893AF,SHA256=EF99EB125B01E045D1184A949CD083A4A8B7922360FEC2890CE5C4E33BB7BDE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.162{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33FD0273CA6B2668DCA69A63E0068503,SHA256=39B5D47CA6CE5DE622859F0BA083910175CCF897CAECB0681AA8658907204DF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.162{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128230157F1580AAD2B1E17D316387BB,SHA256=F804BCFEE01E09F66EAB627083D3E8A9BFDAFE740AAFC1407ED2CCEE249D6DB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:47.099{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF513CE282C44C4DCFDB9764F1CA6859,SHA256=AA69455F4EEF9E237C02D7F5969A1A1E206B8CDDA67F1C98D987707997F0035C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:53.051{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58926-false10.0.1.12-8000- 23542300x800000000000000030726238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:48.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CED3F8D922F152CDA6D75640937389,SHA256=AAB1255B959D9FA8AA32A06E97B3FBFEA6FF29ACF8F812B13CBCEA94A871F4F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:48.302{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E560322A356D5EBEC53250504FEC471E,SHA256=7D7955BA9D26D8F5F50A08EFC646CEF8855F88A5CC98F2037305AEBBB97A3DB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:48.255{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCE84D9AA2094EE045BB9D7C64D6002,SHA256=2A2637D228F293838530D345B0609594CE080BE90EF752F2D079108DE9D24474,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:49.443{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05BB89CFDC608B1107E78A5B67C01747,SHA256=C23EF988A68FB7EADBB413E669A8AD7189D52FB38CA70E126C09CD7F84E082A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:49.271{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40995C23F82DA206F391BA6E6FFC6DC9,SHA256=C6987DD3915EFFFB122F764865B22444D17A99883246C3C23E4BA9FA8AC2B0C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:49.134{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29918DAD91260C18BB419D57C49F3A6D,SHA256=63941088AA81CAD1AB65F57D349D70E30FF5EDAFFD6EDC2893B3FF1790FC43A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:50.584{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B795C70D4FEFE346070EC2CC89B013F,SHA256=FADFDEA73A0CD32A53D5DA721C229C5A53C39AEC39D764ACC4923F81E92EC3F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:50.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99475AA3BDEBADF208BDD8FD55EB9F8,SHA256=0AB1BD3C52E217ECF9D0564EA668855383B77631EF159FDDD29474B8510FAAD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:50.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C894CE83A8AF643FA22958081D3FC056,SHA256=1B98C2A33BE5264EC5617B169AC4B54D0E0DA573845AE56E453BEABC145F3266,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:51.724{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF3F6AE16D7287F1FC9A86E29512737D,SHA256=432E055BAD65418486248F040B25B81154C58D70B68A6315CDC3D87F3A98A177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:51.334{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2328DF90A882B0BCC858454B154301,SHA256=4FAE8F80323A27B091AEBB32CFC0551B7B93CC0A5FE3257A6FB610A6A9A89470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:51.214{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B338FB96F6869EFEC364AC919B9D08CA,SHA256=3A571B1F73B68C78138296BF1CE47B2848E99ED6D5FEFCB80116CA78D5D6D4DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:52.232{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9341DABBC433D14351BDDDEDCD25ED9,SHA256=AA13D9348E8E738C3B51F6A7B72AC00F75A7561CD08DE4BE3994DFC64960890C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:52.865{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AED240557315E378589908ADA18FA3D,SHA256=C9DCBCCF347019ADE17974A25C8CDB39B95314DE644B36ED64E2EEBDD8DE51FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:52.365{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA4B572DA3A6EF26CF40EC43502580E,SHA256=8EAD7A27B31EED942EEE4C7048E65E957ECD1B48C522DB74BD849B3A5F37F6F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:53.264{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC8856DABF5B1690A3C6BC88D803D75,SHA256=06F8916B6FA8650FD9AAAC68E7757F24CCD070DDEC50FB11FC2B3B4644ABADD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:49.898{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53859-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:53.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23A33B7F714662AF8618EF77B1749DB,SHA256=3D78526DD735AFA6E9F4731D40601EE6611C24F19DAEE2F06C3B42F2E2AD568A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.115{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58927-false10.0.1.12-8000- 23542300x800000000000000030726246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:54.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA169E61E9DDF4AC17B98A9F5E0DC0E,SHA256=521E56130C407F9F5C35AE00F0CFFBDB4DA2B91F6A8F9B5CFC41223B38E64FB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:54.443{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09640A683BAD4D25E1CAAB42E8C50195,SHA256=8B23299BA2D7B9774A95B9B173ABBF0C1270A916BF3A39D97795FF35C6877B9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:54.115{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B3471429E92713D8972FE017ADB12E9,SHA256=6DC3FAABC24FFEC94B1358665C872FF07030F5EC4FEDA9D0427B71D01F5BA027,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047958844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.838{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047958832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.599{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31CDF8FCBBC722533F1969A3CD216317,SHA256=BDA4B84B1F83F87154700D1992D67D38A530A3D0554AB74B49A7C505B2231E19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:55.599{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D815857DBA98D2AF65B0605F53A05451,SHA256=407DCBDD9205393A74C4D7211B4A866D258C86852B54889860BB6D378BCF85CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:55.578{B81B27B7-4012-611D-0D00-00000000C801}7924444C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:55.578{B81B27B7-4012-611D-0D00-00000000C801}7924444C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:55.294{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94102C145F456073F8E52F9B1671B5E4,SHA256=6E8731950BBE15E09483AB536EF1E097FDA7271DCD2889FF27DD15AB3F0A1EEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:56.729{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E6F77DD87540C4F95709981F5A3713,SHA256=8DD18F25C76B3EB49ACFE84FE348E02D6DB8790E715AF8BC34B6EC74583330CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:56.327{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845D888CCBD192484E9558E86C7F1D35,SHA256=F82AC9FE58AF7C214160A49EF8004DDDB78373211AFAB5F1BADC53DF02DE3F62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:56.604{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFFB67481C87BC9C34335E0949BA0734,SHA256=9125EAC988B91A2F32BDB3E87E05197DFFCE4AF59180450182D77E8EF3ACAFCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:57.760{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15E8776A0A54905A0B7AA2A23387292,SHA256=F6E16B99B649373DA8E58FF2910C02D372E4FFFCBD263D82818C2D5A1253913C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:57.545{B81B27B7-4012-611D-0D00-00000000C801}7924444C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:57.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1A5F39651FADD4440771E1C0366914,SHA256=89359E66EC18A9F4CF54DDC8487BB3FA9B2DF6F29BEC72810C225626D32E75BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:57.744{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25214C07DF5725C0535EA321EBB966E5,SHA256=739CC44C841DD2F1332F49A337A1790D4CD87A912A678B67F44A4029AB84ABC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:58.869{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20821DD6DEA2C1B4E18B40C5E37B7C7,SHA256=BF115BFE87ABD3FA71E4C60E8A84B2B517F2AA2AF6A0C32C5C0BAAF0643B6B94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:58.760{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075228A1E2D28FFF604D0E879C9177A3,SHA256=9F4E74AE70E6FB644D36F8C5B19E6F1E578FA71EE53E03449B90EDF584AD639E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.591{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030726254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.160{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58928-false10.0.1.12-8000- 23542300x800000000000000030726253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:58.391{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF51E67BA3C77158B06DB86FA66AA18,SHA256=242570BC374A2E6C6EE0F30466EDF900C5100C6C4C09DADE2046FA65148ED8DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:59.807{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BD0858C1C557F2976B23C284B7F6BC,SHA256=EB5053C34A8601E0482A4633ADA280847BDC3F62513339D23E76486DB287013D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:31:59.805{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0BF958A4A28E1DF048412D8C14C6B8,SHA256=1CB0A534846273C8F0F15AA2FC2EF4EE4E4A477228DFC745114E9BE498D42A10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:31:54.996{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53860-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:00.842{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4B999E32A0B6A2AE9B7D9D6C6141D4,SHA256=32E85CB22D6F9CF7732157DC273121568D4019D1026F92190BAAD1DEC22A3D10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:00.838{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9578EA2D35B84985E189ED1E638F47,SHA256=8CF95F60702A8731A98780162CB84012E9A8E863997B2BEB18309A06DF135591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:00.010{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D42DB72E87A4875FD8DF139CBF24AF9A,SHA256=74B97101F2F945C3B5F523F43B6C5FB3FDF98D26AB952BEB1BE38159EA3BC52B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:00.190{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=99B22D54034AAFC28C13DE0A562F1653,SHA256=9A69CE8FFA9819F905BEE037F6A9768B0FACBDB620EE4C2D2ADD7BC0F0AA8038,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:01.843{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDD4B80DE51FC814CC11E71E978783B,SHA256=7817C1B682DA26793EAECABE6898137C2AC5463C227333EF509C54A481059068,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:01.885{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D38686599F9E4E1BA76DA2CEC2C3E02,SHA256=FC478E0AA6046DC422B3406E284DB34A588542C14B21BDA9E94C64359015BEFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:01.150{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CD030AF80D85455B53A1AF7270E6FBD,SHA256=DC4CC46E656AB55A2DE972F8FE0D96BBF33E110FCE2F352BAED7A44F18728E7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:02.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80157EB36D73732B6A6BF702CB742C79,SHA256=E888D852251E8F0540272AC59BE2ACEA9196C0CC664BF8BD5778BC78B9B95B49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:02.900{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25126AB19DC2D7EC83BCF59E15FC724,SHA256=1446B189D3FDA50F490595BB4C440E192B8C9246A583E1B119792888E8B1A437,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:02.307{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=595A8E6BC3CEC8ED40A0C84F35EDB9A7,SHA256=CD66581FFCA1F3F223B20068FC679E92EC1EF2BA626701BC0AF3FF6564AC214D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:03.902{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6257C6D63A91C1C5ACE03D12A043DCE4,SHA256=C1534BDDACA697EE4EEFBB7618DA15E49F70D4EDC8C3A56086C923A7D89D5FE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7662EED5680C91F271EAFF645E2098F9,SHA256=407C6CEB04B541642F7A160A57F06A7B4FAEFD06F7A35E3227F07A6EF968DDC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.888{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6553-6125-9300-01000000C801}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.888{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.888{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.888{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.888{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.888{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6553-6125-9300-01000000C801}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.888{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6553-6125-9300-01000000C801}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:03.873{B81B27B7-6553-6125-9300-01000000C801}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030726288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:08.175{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58929-false10.0.1.12-8000- 23542300x800000000000000047958859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:03.557{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=966E601EF7E90794E2EE2991CFD1DBFC,SHA256=0725C3668098B5C3A97A393808080BB657B8CD2B92C01607A8F27573CE24D6DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:04.934{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226F422A087640BE3EF963C5642F21DB,SHA256=E2CF59EAAA0B0ED891BED419FC2C858098D81AB09519B80B5326160FBA64436C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.940{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116A0156C95A3E5CA025CAAE718C62F1,SHA256=E49416914F22E71CD7DE2F37E4B5176703C7667D08ED06371BCF166E4E7B20BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:04.872{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3554122E052621ECE167B332D31DD290,SHA256=CBFEEA46712EA2B7F8AD11F7775C78A764F14AD52806FA644A7C4885235C778D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.888{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81EA5BB7279BAEC51589E1539BF92CD3,SHA256=733B6E52B59F6B436DA60E818DF1549680277B3C334872C9824FD90F931E91CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.888{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DD38BEADFA26C57EADD6028D203D47D,SHA256=8D06B03AC4CDE2A59871A18A29DB556B3FDE6315BFFF1A48A2FD1655A4B0EE9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.725{B81B27B7-6554-6125-9400-01000000C801}23404864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.572{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6554-6125-9400-01000000C801}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.572{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.572{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.572{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.572{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.572{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6554-6125-9400-01000000C801}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.572{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6554-6125-9400-01000000C801}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:04.557{B81B27B7-6554-6125-9400-01000000C801}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:05.953{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B294A9F19035D6BF226D60C256E9BE2,SHA256=33878816218463186838160805EBE9271D1951CD2C9FF88A23FEEC8142FE3426,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:05.970{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEF06CE9598248DFB324ED07BFA8EDA,SHA256=E7D56F18BCEDB7494FFB3CBC112699E7A70C288AACD2E11B6A9D1B847B4CC4CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:00.871{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53861-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000047958867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:01.888{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53862-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047958866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:01.888{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53862-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047958865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:06.047{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1611898637813F0AEC7CD7102C822064,SHA256=B7B732D109CC67D71147B9D0734430C2FC6C84A0816ACF66FA7A0A3193B22ABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:07.203{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A80A63091F50769273133EC556B84E8,SHA256=2BAE4A1A65C2675B33BFE4683A4A35608EBCF9D221FA4FF4A069F48333DBE84D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:07.000{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F011964E5FD6025FB6E5CA7FA93989A5,SHA256=F4EC12C7A293BFD25C32ECD3987C69EFBC3E0EB49A77A2B20970A82FF735C616,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:07.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D831E2774AC28941D3B31610F8F8E97,SHA256=2558A46BE4015E4DAF64F3B6AECFD59519C23926886655448E74969DF5674B9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:08.018{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80788B5F430633AF09D8F14902624E7D,SHA256=49319CFD0D52ACB2B8392F1794AA9A2C24F1542F42447015B64E9BE52481E677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:08.313{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4A5A4F6346BA8232B5E91C35F3D6D09,SHA256=CAE34E7ECC9A4631D0203FB91DCB81A5DCA4980C8411FC24DC96C8074BDB97FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:08.016{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF024D863BB84EF9CBFE5E895642BBB7,SHA256=39C5F79D069108510C26ADC98953BAA497C64412C7241725B75F2C45281F9E6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.071{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58930-false10.0.1.12-8000- 23542300x800000000000000030726313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:09.051{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C59B39C3D0315D354ABACDAFBB41B6B,SHA256=871C6925ABBE4FBA8B03CC60A2C9D57E8B4FB3C351E6199228419C8BA95A89A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:09.688{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0F65A0E1AFCD287945CD41A10CFD52,SHA256=AEEB5E5B32F1855B78F5A6BFB6AA351B176D1FE7FBAE793A6E7252B815416A22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:09.031{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFD3351EAEB0E8FDD57445F0606857F,SHA256=F411E3AB1B57EC335CEF699BE0058F4B6C58F143E22DD5101FDF01AF0D6FA740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:10.719{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE424112AD27D4B64C1CADE36F98C9EE,SHA256=EAD3087B7F4442488AC3AEEF027BD35EA366B0D22842F8CA0954D870F15CB6E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:06.018{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53863-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:10.047{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4E1E7C148D7F3D4167CD603753390B,SHA256=FACB81AAEEC182209A1B1C3FBE43E24718783BD132BFBCEF4525C1C9DDE2C284,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:10.066{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F80DCB3C2E608D411403D44D79AF83B,SHA256=86C7EBA61F111CDF7E932D93B0255D151EB8FA92C3CE1CA8B80D4DDE893570E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:11.875{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2021D64EFD7A472748495F165CD3767A,SHA256=89F1F2D97D0A7F948942EC357A1B60E17BBFB57605FD640D363806748036F3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:11.719{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:11.094{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E32C7CD1C9E8699C0D556E25EB3CBA,SHA256=F1F73E004A52D298DBBF68463D99567AEB4252B7FE27F6EB35E13A2DF2D47947,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:11.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:11.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:11.380{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:11.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627864AEE34E21E50B9B3E9663CEDFFC,SHA256=5F25FC343487A78B0E3DE49774C77868943EE920A6F41DC144FF8F8D25D521E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:12.141{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B34F590B3F247C1533A7F7B4C55ABC,SHA256=AEF2F6CE95012A6BE559466D6204D64B20037D6B0DFBF3F0910994D3618DFAE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:12.116{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05210D3EFA166E030DF8654E7664F54,SHA256=4A2AFA5F2317CEA232EC7E963B20B9D4380A6AF7CDC767EB55C0BB55E6224750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:09.549{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53864-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047958882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:13.391{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C5E93F668F3F7DD958FAD27B9512DE8,SHA256=B4A518CB534CD998E3E9D4894C447760232721ADE2172BB6A2270B10A185A4B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:13.156{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC59E5506A5CDA5F294A060409EC938,SHA256=2C258B62C6E4466DB642B30A39FF7CCF69C586817EA7EDE9644F60A5EEA70933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.478{B81B27B7-655D-6125-9500-01000000C801}23923876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.347{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-655D-6125-9500-01000000C801}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.347{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-655D-6125-9500-01000000C801}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.347{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-655D-6125-9500-01000000C801}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.332{B81B27B7-655D-6125-9500-01000000C801}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:13.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1289B71300A4263D9ED778843B5B7A5E,SHA256=D59EB0376064F265FFB05BE867B59612F6A04735151529675258127B20B40F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D422A0E949EABC8A5A205A6FAE441AA7,SHA256=39006CB4DD34818C61140C11CB1FE99E72E30CF4DD1BB8A3777E1D7954F2F5BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81EA5BB7279BAEC51589E1539BF92CD3,SHA256=733B6E52B59F6B436DA60E818DF1549680277B3C334872C9824FD90F931E91CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.146{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B15AA08348DEE00A89A2AC6CEFAE6B9,SHA256=E7E40F3FE344449D581F17184BD9F57353D325F6A7BAADC6767450457CFEC1EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:14.500{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB5121BCF147D49850F258D59D2CA28C,SHA256=F488B339CF29F20C8311A1BAD9ED8E4A46AA85B69F192F04C353A29BF76FD890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:14.188{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C860C33B8160ADF5181EB5673CC14DDB,SHA256=D59625A8524BC7179BDB0BD13582122DE1A693D9F9DC93B15ED5BD53A4901A61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.015{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-655E-6125-9600-01000000C801}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.015{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.015{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.015{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.015{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.015{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-655E-6125-9600-01000000C801}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.015{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-655E-6125-9600-01000000C801}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:14.010{B81B27B7-655E-6125-9600-01000000C801}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:15.734{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DFA1DA8195543571DE15129A5FA8A0C,SHA256=8E3B56142C75586834A93680921B325E9DD15958A38B5D50A91E35B925856224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:11.075{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53865-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:15.203{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3EE2A44931FCACBEDDD3FD1A421D63,SHA256=F0E2DC6F209B0B69551F58675164CE8402D822F496AFE66ED3ECB283CE31C029,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.042{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58931-false10.0.1.12-8000- 23542300x800000000000000030726342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:15.160{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75CFD0DD274649AA77F9BD8977B76F7B,SHA256=164F93FBAD7BCFB4AC6AFFD68402D414F900B9780A0A3F7826C6DC57BCA02A50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:16.831{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EEF7FD2D98294929A771B3E3E7A5A3D,SHA256=7549AE6FDE85CF8B103F70BB8C0294F1243869CB323B86F17DB7E809C9A87C6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:16.222{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7724532E5841161F693D61CB995775E2,SHA256=340FA88153E6F8E348DE2416E4245EC8952BBEE5EF6AD28E83D818C769C91155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:16.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4012894092F1AB788F4CB717FD22B9,SHA256=85316B9697EF8BF16EED9019402987F1A741B2034971538BBAAB45B7322914C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:17.219{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCFEC06E661AAC3184D2EE9ED29B2CB,SHA256=2C0E9026AC07634FCB70C1CAAD4547B94F8442369FCBC4CE5A9F7A7F9F4C0E53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:17.238{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B9A451559C854BD9E6BAF58426357D,SHA256=01636DE99517037D5680EB7D33D53419BDBAB655C25AEF759295712BE6EC8070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:18.234{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8896079BD51A84D01C81AE6B52959771,SHA256=6A97C5F67B43CD4700F65989EEE2F22718173F80BEDA62985DBC36890B448096,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:18.316{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B256CDFD106BCB5B6B8CBC92DA1B1C99,SHA256=3103778F255E3BF9D581F727853637D67D406D01BE7542BA605C6EB2D88F48BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:18.019{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F47314216D80EFFCB1628B950AC0DFCE,SHA256=6B48363B5DF2F5B4E4E43932FAE09F5937FE5B57CCD929C66FE554A8602F6CEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:19.363{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:19.264{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1288CFBEA832B10926E4798318CD92FC,SHA256=27F306AD7481CEFC1BDBFCE385523277BBD6BAB71CDCD9AA57BAA237367D269C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:19.331{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB21F1548A4F82F61F438C287897DBD,SHA256=30CFDD91D7526269AAD78819AEF0724E48BF9DB31CE67863981999A640D865F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:19.128{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF4DDD9A5761DF8B261091E13F0CC58,SHA256=B0597AB1F96B50A72406F6E6BAD182FA683B634EDD4BF3CE4AC7FA72BF81D0C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:16.990{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53866-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:20.472{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F948DEFDF4BA597374E013202FFE17F2,SHA256=35DE67D970D3624634A8FDB2F83E5DE944620E773AB5708BC97DB290A0F50755,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:20.378{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5CF01602890BD4D79D961781A18548,SHA256=32F10BA001D8FC654854ABD53A29C394368D8A8D19F97EA25257249FE2FCBDBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.962{B81B27B7-6564-6125-9800-01000000C801}64281208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.747{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6564-6125-9800-01000000C801}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.747{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.747{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.747{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.747{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.747{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6564-6125-9800-01000000C801}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.747{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6564-6125-9800-01000000C801}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.732{B81B27B7-6564-6125-9800-01000000C801}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.294{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD4D0FE3C7177ADA3A8D6738A97ACA2,SHA256=C47C8537EF78C0F34E404FC4736AF8C02A6725FDF7103807AD6E082CBD83FC09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.210{B81B27B7-6564-6125-9700-01000000C801}45287052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.047{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6564-6125-9700-01000000C801}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.047{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.047{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.047{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.047{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.047{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6564-6125-9700-01000000C801}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.047{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6564-6125-9700-01000000C801}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:20.033{B81B27B7-6564-6125-9700-01000000C801}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:20.160{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=031CC2AF224AF6FF90445D6E2991AA2F,SHA256=12A8388612BBACE826CF1627AC9B14B69D6AE2536DBCF1F606D7121888EA23C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:21.675{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1071E16903F40214EE6809D1C8ABB27A,SHA256=EB1E82EE7AB0ACFE91D7FD33C1EF3C74EE1FCC96CA2EB1980C8D0AD322BECC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:21.410{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1E19F373047B0CDDF013D20CB0F5CF,SHA256=F7E6C6E5EAD81A161D152658851AF72FDC1B8AA74C937DCF3545832305363907,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:21.314{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A0C4A21E7CEBD0FC3CABFC5E6E6647,SHA256=9ACDD72F64816F067B7988BBA5534E72A22426EB8B1D7D9C100A387583CEFC15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:21.093{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29636CD495217EBC1A23A23D8FF59617,SHA256=AB257E73BE6695FB0AF702908C1D5CFF651BFFD4A7D19580AAD9D12AD3B646EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:21.093{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D422A0E949EABC8A5A205A6FAE441AA7,SHA256=39006CB4DD34818C61140C11CB1FE99E72E30CF4DD1BB8A3777E1D7954F2F5BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:26.280{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58933-false10.0.1.12-8089- 354300x800000000000000030726368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:25.182{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58932-false10.0.1.12-8000- 23542300x800000000000000030726373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:22.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D3D05EB8E2658FDB3469296B3B4E81,SHA256=88B780D5815C1C94DE6F70D9B036F0C77527839FCAF3C08B18FD9A7116B634D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:22.785{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77144F6AD384379D4EE56A77C1601D74,SHA256=D29538DD40E4AAE2D3C0D8F8CBA4C4931D8BC5811FE4E5D5433DD6A1DF3F00FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:22.441{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF48BDCD4D5B199056ED09587AB185A,SHA256=DC71E99EE5A811CC9C8C694B7F4566F93CFA97A3FFBF9BFF05BB3588B0D5B737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.411{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9ECF60E7194125178FA557D2114F3CE,SHA256=A72D952A2B27DC287C9CD810F04DDAB095DB0160C30A8A59A3A257B4B9AD50E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:23.488{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D952CC2ECA1BEB710615AA6571426D4E,SHA256=32DF84FEB5CA31B73742D73A58CC51A05E1FB057B98B77EAC4A5F5D1C11F392C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.112{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6567-6125-9900-01000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.110{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.109{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.109{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.109{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6567-6125-9900-01000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.109{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6567-6125-9900-01000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:23.092{B81B27B7-6567-6125-9900-01000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:24.443{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C41CCDD4FAA6D1C7EDE32193614543,SHA256=8FFB0C244F3D1A5EFDC2D97C3A2DFE2CF16A3DF05CB070A977B563B4AF96D1DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:24.503{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D47CD138AB51DEFC82FC36D642ABD4,SHA256=4CFD4A168AE76BFDBF5B3218BC4A979DB84BD7D306804AE97F7F15792EA13B49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:24.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29636CD495217EBC1A23A23D8FF59617,SHA256=AB257E73BE6695FB0AF702908C1D5CFF651BFFD4A7D19580AAD9D12AD3B646EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:24.144{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC875B0DEB4F94D6DFAAB0A4DC93D1B,SHA256=F92A28FA825CDF2705929FE7C5BB0F903522390C973383E73AC15907BC1CA75F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:25.789{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:25.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C44B20ACC8F8CE2B15A0ABC19251776,SHA256=1E8D17E3C02A292DC8D2A854534C46BFE5C820921065B6CB83FFE3F116639753,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:25.519{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE02FDC024B6235B8A0DD73574A5888E,SHA256=3ADFEFD304981B91CACEF71E49196CBD2D27120B9CEA199CE3D503D882BBA203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:25.191{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1842A8B57C2DBBDB50C5E3E06E1C6967,SHA256=C19C19760638B61A2B3B4508EA8CE0414A188A1B301158072107A90388FBEBE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:26.675{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6023D522A4156ACF204D8A6E60E2BC08,SHA256=F7EFE57E6CFD79B3976D7A99621E0AB17135C218A396E1768F859AE9B086ED1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:22.896{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53867-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:26.566{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA326FBAB176FDB4C4F8D9942867F0E1,SHA256=0266E16C203E8030D991546E441340BC40EA742F0A8A87C590C70D5D544BBCCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:26.507{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B3337920E424A6083953630771206B,SHA256=AAB73125674C12C4204175C4423FAED113985D09299484EB1E4F51B943A6F475,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:30.942{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58934-false10.0.1.12-8000- 23542300x800000000000000047958913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:27.816{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1836A9DD1D13B5FF2B26E577440A1238,SHA256=9C94EFB30D6EF85985E4F650A0B39973904A75DD3B6B495DC3137056DD0B4C63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:27.597{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A8366185B1E73AB6AA2E7D5ED49B14,SHA256=A9F62F2BFB2598CAF50EE78C9653F859A669279C77BA9E3DDDA875A0224103CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:27.514{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD45FCAC8E80040B72B0A78427785C85,SHA256=5EFB40E3D61600A124BA901662BFE5BBBD91213EF725C2F8C206B30FC54B0740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:28.517{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A8CEEA8BDBC98F5411DCBE5FD05334,SHA256=94018ED6F94E737302E7D2B1CA729000668724C3256EDF1392F361744AFEB1DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:28.972{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A8391584804D32D00A92FD934C33796,SHA256=20EAA135255E711D8D6725B8AC49C30E65D7C9628D38AC9BB0BE0A7F37F6CD64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:28.613{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE01264A18063FC998A65634DDD52555,SHA256=5EC20AF5C7A864ABCC76019F53605F5159BE58C80ACF1D7EC9D0BAC67EE5E59B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:29.595{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A146CD1C02012A913F2031DCA13E8750,SHA256=79835E2BAED9CF6BE2A3A6F443231EE6D2A1B44942F06DD373DBF7C07541109E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:29.628{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB26A394C343BC39A3EDAC9E4823D67,SHA256=7AC38C0C483674F3B3B34C10B2731AA164639212AC2D96915C139E50D5F24C90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:30.612{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C690745F1A3F3A5C0028C97EC5741E34,SHA256=AC5CB1F93B088DEFD53AE44F7243BBB82AAEBDEE0033CA93D4EA5881E06032BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:30.660{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A53BD471B2577C6BD88F010B94DCD3,SHA256=C3E8CCC20C0A441984F951BF7BA628F7096E2D1EB800577C264C17ED1E1D9F10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:30.097{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=124632E49E2220A524B7A496FA4533D9,SHA256=8CED0781D7FE475D2962F37A30F1BEA242E0B8B304D65D1D1F3C3D0B48C655C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:31.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60689CF13358EBBB05EBBB5A0613C659,SHA256=FC9E71DEC32A35FA577F2D55EFEC552CD7FE59EFB3AED80194F7DC175BF8E7E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:27.990{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53868-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:31.707{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F11B225BC1737C233F07F22E861F841,SHA256=E8057D3CE5637333FAB53FF488A74BF4326AC1EE07C16475C5A106E2E5A4403C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:35.996{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58935-false10.0.1.12-8000- 23542300x800000000000000047958919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:31.144{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B8176DB74D76F00DEDEF2A99CCB436,SHA256=2426D9D6D4C3B5EBA754768747ABD4215B0483D08EE743052C7E5C3E6E28DA06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:32.738{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149377CC79213DBF0079677169F2335C,SHA256=7C3B0B9EB6265233D8E783FAEF91DDB73D222299343A493A1DF3F165B50C5F73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:32.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C051D98E3899ADC9E13B006DEA01A4BF,SHA256=A4256319BE802016BD03B058114D3D6D78EE133377443D93A5E4E5C13BFC5971,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:32.378{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D27416E2A294FAA04AE1E6849AD4F60,SHA256=46491D90C7AB2D9CCB4F348B469FAD8F409889AD23D3E90D6C7DF28C59753FD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:33.753{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58CD32A191CED7DBB6ACACCEF445CB9,SHA256=32C040F323BFB86FE7584A7E33CBE9C0B78DF4176EE7325C10B02A2D9556ABDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:33.709{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A67FE988416979951A0358155F95F65,SHA256=783A4E1AA93984CEB455CE2FA6064259468E5D2D2A80522CF9E9CAC704CF7C1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:33.566{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC9713DB9E8D1A8C1F19D8860E6048E0,SHA256=F3ED8F0BE24DD535BAC34718A717938A0C917641342AF2786846E976E1E123D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:34.941{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC7DD6EEB1FB046CECC9A3CE4B7E14F0,SHA256=FFE51E12BB4C086BDD44BF6BB39C7F19EAF922F15D264B1B4E72C52CAC1F5D93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:34.769{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F9CC3C71E242B68283824D46B8DDFF,SHA256=6C845670D5467A45C184133D423EE6EF12B2D294F9CD3A4A6631D1D839A6409F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:34.742{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C243E9B6941AD0E0E90C567CF0F9F9,SHA256=7D50FCEBDB62557A8DF5420C08666208299CFDE206F7078441FE9D710889736F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:35.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF582594B877A8C0EAA00EF12D32D25,SHA256=7A6314CB160D113A2BDE5E511F1CB3AD15DDE7CEC49373BDA6691C78902ECC05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:35.785{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6EB65A93FC48F3578336849EFCA800,SHA256=E465D992CF80CBD6B12DE8264BD5F0CEF00A6503E4496F229A46BF3369347164,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:36.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED4EE2A5C446D71CE731EA095CBD31C,SHA256=FF149AB0B569298E5EDE31909C20551A3BB67284F102542D076C0C21AA911697,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:36.802{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD253EBE00E6CBB7797D98E2362B897,SHA256=F51CA9335C90172563AFDC588F42A39E62F0D3EDEB738E1C2F632E95C59FE779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:41.142{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58936-false10.0.1.12-8000- 23542300x800000000000000047958929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:36.099{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910D24DDF941C5269588B948FA6A7DE6,SHA256=73E5C604FEC342FD82C69FD4A9501DF09E667D245E81812A71178F831FB05D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:37.818{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D7ED438383F8F1C9D0D25ABD1B3653,SHA256=85C90B485A2284C31534B8CDFE29B69A5359BC732AC2C481826FCE86E70A2914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:37.806{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020103440BB293E24F1B86B4D8140689,SHA256=4DA0C6A38C051DCE02CA89DCB755569E94FD9551BC89631E9738615C714BE594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:37.208{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2441B324EF0082820FDE7AC11616BBFD,SHA256=E27CED00CCA155B9316E5E7C7B831E918B479F64390306EE55802D78626A9F14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:33.099{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53869-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047958935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:38.833{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157A7AF7591BCFC190A758C6E5CC2E57,SHA256=7D293C7A9CBCB87AAE27A87FAAFA5FAC546096216D59F8644D6F1E95E662354E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:38.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBA9907E0B9BA15856B98ECA3C42458,SHA256=4AEC6769A8CF60400B3E5FA7E1652D26C3CE61B80344A599B6B718D1BFD25E85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:38.521{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BDDE4107AC543091D0D8E218B023177,SHA256=6E36CF6FF33F7065BAA838CDFE5579FDFBE53924AAEC6539B4617F5C47F778D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:39.849{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B6911C2DDE9FC8903330F358717816,SHA256=F08EE44152879CA68B848835E098F902F8D7DC2CD645CAB332740353E4716085,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:39.852{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64C96C1B9637CEED5C06B2785BB93C7,SHA256=F299FEFA3325E7AA2B31AFE85D7CA1AA40DE619301AD7B189510BA6557FFD2E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:39.693{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6007BC02ED1093A6D6C7C19D9E4D95B6,SHA256=DE8C53B543F40F6CBEA038C5BA31F69F591C20B662AB3C3912522C99A918932C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:40.896{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C0DFB2C4210E564898CD28C4EDE3F4,SHA256=8B710A14881567215F618247A41592F49A793B4D45086FB5B5F8B437E862AD76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:40.883{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3ACF7FBF3993C78F4BBFB096C2E8BF4,SHA256=8A6C9A8AF73A518BC3CC242876101F15B54F20BF6CF5551732DB8F4B604DB7F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:41.911{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA14CADD614AEE10F7657E7823160A5,SHA256=E30D6C852D1777F5D4DC5B54A2714465A53C1650CEC42C785D39F2464522852B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:41.906{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04D3EBF3C9B3A0B08AA98E94E3DD260,SHA256=3AF36EAEAB596AA8C3BC0AFD5A783FED338DA336806B1B9F5040A7B2AD451E5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:41.083{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=022E313E8EEBE2D5B21A6CFEA0D9F935,SHA256=15E10C89A882EC2C349B7DEA4D89B160F6203A6AB2F1AB02B1E2D9872B539A19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:42.920{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF9693C6907F3907A2FF4E95F15F356,SHA256=D5CBB1D9B2B6726F0995B01B649C23C6681BD4CB518FDDA27BFF2E12E2DA0C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:42.942{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C32F819B7274A5670C31B5CFE15259A,SHA256=D01F182132C6F5152EBF4DE39145A1DF872F55E619C6AA3542D94DCE6E961D24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047958941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:42.193{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37E7F1E063923441533A119407C1557B,SHA256=84C53F9B3C63E3DCDC0993E0430BE35BDD9243513D28B2486985FEC0E41B62E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:47.169{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58937-false10.0.1.12-8000- 23542300x800000000000000030726408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:43.950{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119A6A3877D7BB13C0D0E36A765E6D0F,SHA256=0D6E93232D2A1F2AEE7DE7B4566C4049BC20DA56DC9ACD83F5C0A2256A30DBA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.958{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380828773EA0CAB74A02F3C27A0C2659,SHA256=C26F77420CD2458E90721F30F57A0D9C2351F7F01C369AC206392C5508CAE63A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.661{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047959003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.661{3BF36828-657B-6125-84F4-00000000CA01}5964108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.661{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.661{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047959000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.505{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959527A17DCE377EAFA895C585B04CAE,SHA256=F4AA081C836E979B34BBC496C82FE6996F2D9E3E0E049DE335F6AA60DF08FFDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047958999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.458{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047958998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.458{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047958997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.458{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047958996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.458{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047958995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.458{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047958994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.458{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047958993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.458{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047958992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.458{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047958991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047958990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047958989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047958988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047958987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047958986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047958985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047958984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047958983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047958982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047958980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047958979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047958978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047958977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047958976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047958975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047958974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047958973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047958972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047958971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047958970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.443{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047958969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047958968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047958967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047958966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047958965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047958964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047958963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047958962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047958961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047958960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047958959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047958949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.432{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047958948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.412{3BF36828-657B-6125-84F4-00000000CA01}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047958947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.380{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8946194F411F884BA0AC6407C671E61E,SHA256=B6D3FC6890CF05B749F1FE61B9B002C0BA9683D7259FBF9B782286D8356052FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047958946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:38.991{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53870-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000047958945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.021{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.021{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:43.021{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:44.980{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FA0E394D65302BBE0C1800CD8A148C,SHA256=67DAF8D9EC0D0C9DD95F8F4648C08E40859EE66E23C6093CF42A9894FD733B06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047959119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.958{3BF36828-657C-6125-86F4-00000000CA01}36403108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.958{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.958{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047959116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x800000000000000047959107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.802{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD84DA1E12BF37955583CC5DBCFE1943,SHA256=85AD4316B051F798D6F3762D0B3A121E676AF66AA9E3D839149B2030712A3116,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047959091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047959079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047959074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.786{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.775{3BF36828-657C-6125-86F4-00000000CA01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.771{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1673E585A4A2DA03E971B882498D1697,SHA256=B11021BF8B120DAF318468F799B6F0284699705B16C5E823A61737F291BF9D21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.271{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047959060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.271{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.271{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047959058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.146{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.146{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.146{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.146{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.146{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047959023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047959022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047959017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.130{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.115{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.115{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.115{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.115{3BF36828-657C-6125-85F4-00000000CA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.818{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=297AB4D082ECD0B176A0AAE911B5BAD5,SHA256=00D85424527D0BC01CDA6CB0A50923FB85E5EBBF1AF4BDF0A20ED4B1B06FC532,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.818{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D02CBE059B29FE0252C3419B110588C,SHA256=C8ABC7C3EB4DB63A407F965F765A0CBB3B57FACF5E49816F5FF28061E0C68EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.646{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047959177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.646{3BF36828-657D-6125-87F4-00000000CA01}42165652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.646{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.646{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047959174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.489{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.489{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.489{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.489{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047959139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047959132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.474{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.458{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.458{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.458{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.459{3BF36828-657D-6125-87F4-00000000CA01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.193{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E610C2FF4FCCEBDC0387477DD541414C,SHA256=A8165CC0F49555193D4FB03576E8B3B755B89EC34154276CAAA226EC03C51852,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.130{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=486D0259988A6CCDF28C7B6C59C3CB91,SHA256=AAC55CA5E617EE54CA37D766BAEDB3ACB14A31B8291DEF2251B56931330FD078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:45.068{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F199985A44A2D030FF723B63201125,SHA256=034CC1D3617BA1B6517CEC5526F807C7CC0F4ADA997E8E6141A6F21DF245224E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.958{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047959296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.958{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.958{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047959294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.802{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.802{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.802{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.802{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.802{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.802{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.802{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.802{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047959285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047959264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047959262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047959261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047959260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047959257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047959254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047959247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.786{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.772{3BF36828-657E-6125-89F4-00000000CA01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047959237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.318{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047959236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.318{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.318{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047959234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.177{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.177{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.177{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.177{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047959219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047959202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047959198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047959191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.161{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.146{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.146{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.146{3BF36828-657E-6125-88F4-00000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:46.068{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69287D0E082C72D94401CCFFA7CC1F7F,SHA256=74886907058C907DFD9B5211CDDF94EA6C694542656ED6C784B2465A994D6D99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:46.000{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC7B67C68E93EE270C51346043BB433,SHA256=28ED57ABB04414EA1C96CAE9DD7C2DE02A2926D5D8BA21B3D60C552086554C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.818{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C33EA3D48ADBA0212882C3FC67CDA37F,SHA256=AD7833998CCDE79A886308C5C5C9FCA5DEA808668D47D240AEDDB7A43F38FD40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.631{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28544074EC9E76EFACBF9BD122E6118,SHA256=B8C1533B2F954B6824691FFE4ADBC5D7350E71C1F75952759DD35E6DFCF7016C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.601{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A65BA3B7BD84CC848FCBAFEBF20F95,SHA256=48CB14E1F6C279E190EC135FD4BDEF3CB15580FE417DE61C68EC8122AE179023,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.554{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047959359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.554{3BF36828-657F-6125-8AF4-00000000CA01}36444988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.536{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.536{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000030726412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:52.181{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58938-false10.0.1.12-8000- 23542300x800000000000000030726411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:47.047{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8178B80A6DDE022BE9272600E1C30256,SHA256=60E852132F287C2728911DAC3B60C1227A77D7C669FA48303311009FF58AE2D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.521{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1EFA8C3D34B1187CB5FE83964DCB5AF,SHA256=BE6F8DED5C7E0C180A16B7B46831FE94C4A9D856C7CBC53880FC0DF9326CA527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.458{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03ED27ECB914A5FF504864AD33141A84,SHA256=447290C601C613469F8082878616FBEDAE83AA2C0ADCF1252EC8AA95B6979C5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5250585AD27414BC979C86A198C9A47,SHA256=0D5DF5B748098177B5CC3D47229DD237038BBB8CB68825E6EAFB28B7B196BFCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 23542300x800000000000000047959349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13B99E53F5C45D40ADF7CE65BF90827,SHA256=16A5571F5E5299B51CD773CD747E22FF27EBB103E72B16077E5AB20D227307FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.349{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047959319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047959316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047959313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047959308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.333{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.327{3BF36828-657F-6125-8AF4-00000000CA01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC29D28A862C6AD0BD1670492137F945,SHA256=5BFC8CCB1A78CB5E7ABDF7BD1B646DE18F26964A11A82E6639D64F4B1B56D0A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:47.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9F8B6132431F78F9FE0EF2E3279564,SHA256=24261740FE53C8456CC36C1FDD4C7DBE5A54777B35C32AA5710B781EB28B95B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:48.552{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F44FAFA6E3909416BDC95AD1233898,SHA256=7B2E79795264227EF3232CD511A24384BCD2B17075EA20AB39C730AA875F8F85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:48.061{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36505A1F4313E9301E51B56CD60B7E37,SHA256=7F7D1D8195EFEA6776172233B412D626CC940EBC182E44216FC36E84DF580DCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:44.069{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53871-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:48.036{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60FDFBB7B56ED99CF8FC105B058A2283,SHA256=304255F74B20674ECE5078F965508C3996FC20D64C21B0A6041061B4B53883A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:49.568{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7A5E9D214B6B11C31E8BD9645EDFDE,SHA256=2CBA68471EF5E9BA4638B8598BB756F6D954BAB519F78C92833F2DA869C33B2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:49.094{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A434AECFE238BDD3257C1CAC731B5E,SHA256=0CED90245A6488E32B257DCF0A6FD0D22F5FD8B67C5A40E060EB72F8B01B266A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:49.286{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12C8B9E36C072E38FB02D50CE07A6EC9,SHA256=5025C1A5EBCCBBAD1ABC00E2C49B11D569981AE84515172A82FBE61CBB67B94F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:50.786{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=837F87E1E11856B0BF3BDF9642D0E1E1,SHA256=6C8A4B77024592519319477BD49C0782AB437979B73D2E65F0B24AD3EC77C6D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:50.786{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF2416B040373EE0C011B813B9AAE19,SHA256=D242E875F77F103D3874D53F62CDA89CD575450AF25979AFAAA957748F19F122,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:50.112{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6746B470F6D2516F18608C848FDD17,SHA256=4C85F6C8D4F2F3FB527B64A0DF4E946D7CC2442AE1E830DEF1F5CBE22A2B01FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:51.927{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AB13AA7B7F8FEFCA97BA5632EBA32C,SHA256=7FD676DC6A9486A0D77A3E10D7604C880E33181C3F550289E99D8A2A0CE5B0FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:51.802{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68800F064C181B9E806C7B9B6811AA6,SHA256=008C4773DBE46C35D960893321EF22AFC3B1E3BE1467620D9ED53B50C17CB924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:51.127{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9938E5236A4F56A7F4F91C3836B3B65A,SHA256=78DB8BB99822CBAED23CAF2CB327BAB405A08AB4B63401EEFAB8C23CDDC56915,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:52.927{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3532138EEFDCEF95911EE2DA0B590A,SHA256=C853491EA8FBB1B6DC9F6C89F4C0E8699B73B6B46A8EABE38365E8847E8489CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:52.157{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D7F4A10CBCD2379D18E3C416F9021D,SHA256=0F506B5C2CC1409A1FB091541AC96B9EA3B98F94E862F835B0F1D442E9826C51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:53.927{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B54A36E68DDDA00CC0ABD54A124897C,SHA256=B8E206D94EAC08EA7C180F3849F240CD1FBD6E21566B2122944711F81689C517,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:58.144{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58939-false10.0.1.12-8000- 23542300x800000000000000030726418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:53.172{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7901D2136D9086B2402925DF78814992,SHA256=C41F041E4D65437B3E298260EADA822B10189A9ECF70EF83F4C99CEFFCAC6666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:53.068{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D47BC3F16A322B2234546A9C251BA8,SHA256=D3CA0F4A9F06D56C3701ABCA3F40E37D4219DA45FC6CBD5B2DA7A61A0045C801,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:54.927{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E7C8BDE6EFA010A62198A1F39EEAFF,SHA256=61E4335A816B31AB3ED57E95FDBC14DE6BC025E32E782FFAEA6D0BF88EFC76CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:54.188{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5443836C547E09E8A082F28207C587E,SHA256=35171EB6F50B9C7633416F80BA0947E2513BB2659ED0F9B938EA2734651BB221,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:49.898{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53872-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:54.161{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A38F2F3183AA6DD856040BD63880FD18,SHA256=E7933A56665CF27C03DBF0AD5AD30B04F76FE7945E9EBAD4A60517C2D42151D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:55.947{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1ACDEA332CCF8A53BE73BFBE1D776AA,SHA256=396518943B7A4D01A1DACA61264F973C6349D05F6F6B0C4ADD115A9D0B53282F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:55.711{B81B27B7-4012-611D-0D00-00000000C801}7924444C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:55.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C4058F0FC856448F2AB1539850A130,SHA256=60FAF0FCB8FC12D9AD1E49CF884409237407B1B7619C58A29EB8AB8583D11684,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:55.224{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=857005C7C1DC34FCABE894C7F5FA2E0D,SHA256=86A954A901AB970DC196C31277C524DD452749640760D446E1DDCD505A6DD3B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:56.978{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842AFD24F5D5DA0C6045DC5D1384130A,SHA256=E7D409B7CA1B3EAADFACC294D0D6EA2D07F567A9C9E703831C91A4EE404CF196,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:56.274{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B58AB9354DBE589BD81B24F4065308D,SHA256=36827CC61C8763CDF6E96C0275E4E313D22DA68EE75B7494C3C8FCE2A79400C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:56.384{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA49C1C49A59C7E0A29D5B81369F7B99,SHA256=8D28EC335D050BFE4B9BB9A77FE9A4A73283AADBCE84591DA47C6070799826AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:57.978{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49DA6E71808DD5923A6FB49171B4690,SHA256=C0DD94AC4E3F5078BA27F4DADD8A42063FA99A478DCA8AF796CAE62ED756A1DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:57.326{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50371AB3CDB5231D6B91FC60249A00C6,SHA256=80B5CFB6C4CB52FDD16DE37FBE5B6C9855A2E63AAA0123C6029629919BFDBC86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:57.619{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8C41306F45793A948B42597C943E2B,SHA256=6818A71519FCBEA0B304A14CD7F810C90F20314568DAC394E2D3233E7750997D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:58.994{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C9FAE3F67EC825FBB7A456777229C5,SHA256=ACD6D60D4C6B5EF001B9729986CE3173843BDF8D34927600E358755B40C7314D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.160{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58940-false10.0.1.12-8000- 23542300x800000000000000030726425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:58.356{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B6A1EE518C7838054FA782FF5BBB0C,SHA256=EEACEB88A4E914230E1887C1BFFF856397D13A327183294898F8D1133222C057,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:58.869{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0DCC67054083A63806602515B90674E,SHA256=B46CD3DBA867E9E73C972E78DEBA952BA30DFDF0680347E0E5D457FE2CED9D04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:32:59.371{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E73ABF0B2C701E6557D68637D671C2A,SHA256=AE1BECBDB1D99536C8CDC1367B65E55626A09545D8D9156B40B6819F69CEA101,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:32:55.902{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53873-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:00.387{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A20DEDB07B65243F4B5281BEAF9DC5A,SHA256=7120A9BE86D0DC9CEFC69356C0B705797BAA5260BE131108E1456FBC7D9AA6C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:00.197{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06E42FC3FE9EFF6355ECE5FC7DDB3D89,SHA256=E040955522B619F3205809B7B7DFAF6B3FD75D1D4CE57A7E196EBCB9F717579C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:00.009{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1133003D3B76BECA72B3BDF423003A,SHA256=EF5D89FCF6487E22958827BE095800ECC8DBF346679705958912AF2AB1DCBA0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:00.190{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CC128854727DC4493E689BB0642BE62E,SHA256=438C870155169D367BABD08CC5663F630E4311536E3015DF197BE164219D5533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:01.291{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=460AFEBBA570D7966F85107F7B179BD4,SHA256=DF7D90342C4164F7EEADFE10F857DEC4D35FE5EF3959C179F3C0AE9198A02661,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:01.041{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509B55415D23E146266E07E0F77EEF4C,SHA256=D6972BBB8DD70D4E14D99D36F38D3EE74341A910CA450CC319973F6558AA8C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:01.407{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9877236B623094ED6942FB9D443EF5C1,SHA256=B5DDDD9A196FBDE00D02E9A8080089EDA70DCF1D3E3CA40FE70749F0081C383D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:02.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262B740229D1D907C1252370EA4E4AC8,SHA256=8786A43B80FB9B18789478651BFA1F26965D79F72F232A4561740C53D51E6765,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:02.666{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDF02544FB95D7F23E2AC99FE5A61F10,SHA256=CC2DECCE9AFBADF3A29F07570F9FAB2D47EC1188C29F42BD5822FAE7AB6F9E48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:02.041{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBA58E30710D8ECC1B2B449F2F32CEA,SHA256=F6C38966B90D0DEF3EE72BA7757DB6BED999C1D293CC8B01A8172A7719455ABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:09.118{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58941-false10.0.1.12-8000- 10341000x800000000000000030726440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.889{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-658F-6125-9A00-01000000C801}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.889{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.889{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.889{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.889{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.889{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-658F-6125-9A00-01000000C801}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.889{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-658F-6125-9A00-01000000C801}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.884{B81B27B7-658F-6125-9A00-01000000C801}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:03.452{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126E309E870A1739429ADFCC8B91584B,SHA256=C2B5A4C31BA5057371E222A6CFEB4FC5E20E713E5CB1CD0BB7AE4A9029B5FE2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:03.713{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=936CAB345D90B3AAD13E79B4A5855C6C,SHA256=2C7A5DCD47F309B32078784B6128BF8ADBD671A1EA2080BC20F2D7231EE11254,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:03.119{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE343CD06F5F229582981CCAB54F1680,SHA256=42DB3712C9CA4C8B7917DB29D638D7E3F75E306A8AC2DCA1ADEF57B95E2DF551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.567{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6590-6125-9B00-01000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.567{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.567{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.567{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.567{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.567{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6590-6125-9B00-01000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.567{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6590-6125-9B00-01000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.553{B81B27B7-6590-6125-9B00-01000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39803AC605D5CB3C31B53F3771C77CD0,SHA256=7941CD1053895DD20E15B6CD56C6987D5B6D7FCE02E6C3C42FF14F9606D4C089,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:04.979{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7688CB3E071EB1755444C5834E0EF8F5,SHA256=89285178F25FE83FAD4C0CA2A8C2827D888C9BA5350F0EE0123A2B58A94A1A46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:01.074{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53874-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:04.150{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1029D99D911B617E3D27443AB0BB104,SHA256=E1A8B403F3E85D2FFFF384F67E3EEEDB7DB881A39BD136534FF986ECA31E7831,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:04.207{B81B27B7-658F-6125-9A00-01000000C801}69404180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:05.482{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89AF19FF89ED6114035B4F295AC6AC7,SHA256=B1EECCFCF11697DDC4B15E30592F39CE1D72E5BD5177B3EC85629CA60B33392C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:01.902{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53875-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047959400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:01.902{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53875-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047959399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:05.198{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3DF78C8B1F81FBF85F3895DDAE84B6,SHA256=AFB39974FE5C7AC29C9E8E02C6733D9289591350466D3EC8126B88043D39C7A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:05.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E7350875549A0EAD8842BFDA855AFAD,SHA256=AF873419E706D96B779F52AD48157687A880CA67D0F8766D3B3C8B144106CE96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:05.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06BF61855CBDB1F96A350A707660A1E7,SHA256=3B691A909475FBC0E2785493AD0D79ECB762E6501C61447507F2DA621B0B901F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:06.514{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A302EA9327A14E8AEF93C47A4D48DC,SHA256=571651E4027570F4E37B0C4B1F224B4A3C8C22C64FC79EF398AAB65D5DDEB5B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:06.336{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15A37E2499DABB6D43AB99853C4B91D7,SHA256=888BD370E3DB08BB241381E77FB85EE66DB1F758DCB8FAB4D3EBDD708BB4820F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:06.243{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27D675D34BBC43A415676F28CE5BC7F,SHA256=808671F7A682072C7CE560D9207B5611DC3B7004CF8290A350CF3198E768F6E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:07.465{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30169DD96B8169FAC2925853FC58CFB,SHA256=81C6D410BBECA0A8EE2E533E4897139C6BA758211E171E64574FF253EE6FC5F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:07.261{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BDD0B5A09C4685ABE667C9A665890D,SHA256=FD1460417A07A796ACD361C55DC203A180F8F89902639A0646464DD1A503934B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:07.564{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9667564246485AF48669AB2E7A806C08,SHA256=AC92E16B66B5DF8F94E84499252E7E26B4389F92B5D77E228B31FA29E8B6B1DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:08.579{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08B4F6D99BFEFC90847CB11840A5684,SHA256=4DDFBE380D477BDCE8B98531ABAA8313BD2163C968628AD701A22CB14EEB8A9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:08.840{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D90F0CA015527974B93C2CB804BA478A,SHA256=5C74B9461A1013B3B1A5B22FA0ABF28E19DD72F64586AE6CDC67B7B4FEAB116C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:08.261{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DBBF7A7483E9C13EEFB711CF3AE565,SHA256=C189C58EDE07AF1091004B71C344A54B967440090E1B2000D8B8A1A9AF9A9622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:09.612{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FCAD51593B992FAD414500CC7E96BB,SHA256=1FA59F4B3C8719C1632AEBDD6D66E0666806612BC080D2806A9085F8FA104588,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:09.855{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0633F1FFC5BC331BA8524294282E1ADD,SHA256=0A27BDD71D9BF8BFE05124C186FD38AEA6ED2BB44A080D3FAA0BBDE275DAB92B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:09.277{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D25B7E3ABB0AF95162EDBBE30F7F44A,SHA256=164764C1D7D9BEBCBA6BB4CB4DAB3705E027053D24166E560EA85F28651B526C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:10.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E36844BB0AD07BE2413EDFFF698297E,SHA256=25AB27BA372BE5FE4454879AF50310EB6D8D7E17DA5EF7AF0453453C67083638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:07.013{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53876-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:10.293{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0AC8BFBBC9D07DD04B8DDA86992F67,SHA256=F4BBFA643E0298690EAB43ACB9AEB14DF2E70BD7DB3B46729ACABA2DABF2EEC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:15.128{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58942-false10.0.1.12-8000- 23542300x800000000000000030726461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:11.677{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4BA83DD2C323E0A2FC69C325051239,SHA256=38F2141952C00736D383A37D88F62F8E11B7C3421252E82F45F07EF81A5F20B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:11.746{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:11.293{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B384A1EB1799859C83823572A38FB4,SHA256=889FC06F97C91AE898686CB8E48FDA1AFD739629DDBC579C1E0B0E735D81285C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:11.136{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522091F5DFF1150223BD094E96F258F6,SHA256=CE91D9771F64C890B57BCEFAD338280A64D182646FA89CD96C367F6FB0BD570A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:12.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582B8DC21C6CDF175B3EBEF04FB42C63,SHA256=6B4CC919A2EA8843C9DF947565A86A2B26A3BEB7CAE5EBAB89CBA2778EBF1F46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:12.511{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46639ACAA65C617A9D3171DE51CBF2CE,SHA256=DDA055E3839303EAE7A31CF7B12AFDE8E50385FF49B3728869A31CC7371BC86F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:12.308{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C58388A216CFDDD3A2AD55F8418B04C,SHA256=5571A18BCEC8D15AEA140C26954F1A68092326CC70617A45C17CFFE3347A17DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:13.652{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AFF2E209F3261A0AF0161DA9E69A8F8,SHA256=D009C021DE30E4BE3E5C9C20F045D60EB5F608CB6CD773223A402E20054918B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:13.340{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59ED8807305CF51B8A00694EED796BC,SHA256=6118FAD8CA69866F4FEF3CA9C3FDA2DAA78C92B1B89893E0897A8CF01B354D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.891{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6599-6125-9D00-01000000C801}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.891{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.891{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.891{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.891{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.891{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6599-6125-9D00-01000000C801}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.891{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6599-6125-9D00-01000000C801}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.876{B81B27B7-6599-6125-9D00-01000000C801}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.710{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D59D9CC1AECBA64A81065D70E599E9,SHA256=A010FC6B316C80EC9AD1E8D3D668AA72FF56BC8B83423C52319AE91E305CC1DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.344{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6599-6125-9C00-01000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.344{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.344{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.344{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.344{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.344{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6599-6125-9C00-01000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.344{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6599-6125-9C00-01000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:13.329{B81B27B7-6599-6125-9C00-01000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047959417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:09.576{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53877-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000030726483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:14.727{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A2FCDEB9408C7628E30FDB626B76B8,SHA256=23196E9886198B80EA5D4436BB53A947DF17F9FFD6355FCB000C0198FF562614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:14.824{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED9D933E34BE88298F7E1EA9314855E8,SHA256=DC5A4B9ED49768CBFF0D283FB33D6CE390038AF1E64127B7F4856DA6938A1748,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:14.402{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD6CB988591725F37820C38A9C76978,SHA256=3D2E1160A5F25A0DCDE56BD556EC84D46DA685CA465B79236EA8BB6DB2F1DCF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:14.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3D539357D7980951C65EE10F9A462F4,SHA256=D08252CBF075B00D4D5AC3A120285EEFE65B983F7A8F8258BCFE3D5F04D6493B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:14.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E7350875549A0EAD8842BFDA855AFAD,SHA256=AF873419E706D96B779F52AD48157687A880CA67D0F8766D3B3C8B144106CE96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:14.091{B81B27B7-6599-6125-9D00-01000000C801}5308756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:15.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50452D71189D92721C167AE976D8E76E,SHA256=B798CE0383C1EC4DF6585FA59DD715BC054F8A44BE0689302433AE4459EDFA26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:15.402{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E2253E98953C417F24FF59F02030A4,SHA256=CC6DDF6F4006B20E524D1E04B5A6AAFD37709F3695E58AB3C3B9B9D25BF1D48B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:16.772{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6797F490D1DDAF9C709020B907E81035,SHA256=6CD0D8ED5C48A0E77D874E17F97F34062FB9AEED47D36A336C9CE65B02AC80CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:16.436{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC34935967B50BA022F7D2E8AA2E0A2,SHA256=524F7531D1C4CA4DCDF72DBA018308F5471E3AC8B7C3219712CFC7B767F7EF52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:21.025{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58943-false10.0.1.12-8000- 23542300x800000000000000047959423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:16.139{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1BCF60F36CCA4E491707AAC8BD8E935,SHA256=C3834E5995D30C166AC46832EA96F00B4256D10E6AAF903991DFB8FAE89AD95B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:17.807{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6606A86CA6724EC29DDCA520CBB79B,SHA256=D9D2FC5CF58D8BA4A41FA62AA4B1A0808484CC7F3C819741BAA8091356060FF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:17.467{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516E4D9EF9DDAD25E12A9FC3E22EAD88,SHA256=51106CFAEB72B4222011F7C45920BA8E30F7D38F5A68654275F8434CF1907772,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:17.217{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEAA4CF9D96BF605D43DA079137143CF,SHA256=040C1DCA2E016D45D8ECE726A59467443CD19332030D1F43EE329B2F9DF4F99A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:12.935{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53878-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:18.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C464EA898468EDE6EB54EA2510A8B456,SHA256=492E97F175866327039B2C74931CFA1A475A74CA111635B738D599730519FBC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:18.671{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15853906E7045BCA87A1C0D95D750C3F,SHA256=C8E0E480BD82FDEA13AF1BC2299A468FAB8AA366CD0B78574B2EEFF9668A2387,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:18.483{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C8A9180380366C23440D27F6D2958B,SHA256=3C22E522A60352769F442CFB67578D040D5C474D5C5BBBB843BBBE59538DB420,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:19.869{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAC900C060FD1004E579A752112203A,SHA256=E4239126D4334107E10CF8CD02A0FB810D5A458C154D2EB3ACC1650432DE5019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:19.983{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58797A1BC4A28273CB7B3EB069E8DDBF,SHA256=2D61D8F1A219FE20708A4C3337999E5734374D402DC9E7D9192EE8BB22332D9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:19.514{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330822C0CE3591DF3734A1B59F52FCD3,SHA256=F052E8D4D5FEA2CC10A785E674D29E6C7993C3F019F2109D78C29CE7E75C523E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:19.385{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.953{B81B27B7-65A0-6125-9F00-01000000C801}57966620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.884{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811598D8F722D9DDD759870B33729F64,SHA256=5D410544CAF8F39E29553FFDF6F2FE21FD6F0C6D071C971CABFCBD528800BEED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:20.530{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85E62865509CB608E804A2F9AE3AE69,SHA256=5FD448FE6CD99AB00DE1BF6855025078A10EA58F598B7C0C1BA39175827B5174,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.753{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65A0-6125-9F00-01000000C801}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.753{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.753{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.753{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.753{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.753{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-65A0-6125-9F00-01000000C801}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.753{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65A0-6125-9F00-01000000C801}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.738{B81B27B7-65A0-6125-9F00-01000000C801}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030726500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:26.138{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58944-false10.0.1.12-8000- 10341000x800000000000000030726499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.238{B81B27B7-65A0-6125-9E00-01000000C801}57603152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.053{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65A0-6125-9E00-01000000C801}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.053{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.053{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.053{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.053{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.053{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-65A0-6125-9E00-01000000C801}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.053{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65A0-6125-9E00-01000000C801}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:20.039{B81B27B7-65A0-6125-9E00-01000000C801}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:20.483{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=00063B5A1166D4B974482EC44980F38B,SHA256=26479FDC709E9BF356C5802F269B0BD19A73248C284F2CF2C422D89F2868726A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000047959434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:33:20.374{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x800000000000000047959433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:33:20.358{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x800000000000000047959432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:33:20.358{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000030726514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:21.921{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DFAA812397A8777C70C72D3F1F7255,SHA256=177B7EF014EC2C9027F4E04534C75DBCBCF4A137906F25F35EF19433653C8363,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:18.205{3BF36828-401B-611D-0D00-00000000CA01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53880-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x800000000000000047959440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:18.205{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53880-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x800000000000000047959439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:21.592{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850261E5D18C0A0012BD391E1F982579,SHA256=7AE93FC2CE01E8D2F10B3EF5CCF74BDDA0CB7C67EE969C737AE702146D04905C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:26.303{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58945-false10.0.1.12-8089- 23542300x800000000000000030726512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:21.122{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB23223527AE4AB202865B4149E83838,SHA256=0DB8B56C745E34755E215A7A220608BEF014FFC26F04105CB8300F67291CB94B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:21.122{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3D539357D7980951C65EE10F9A462F4,SHA256=D08252CBF075B00D4D5AC3A120285EEFE65B983F7A8F8258BCFE3D5F04D6493B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:17.939{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53879-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:21.030{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0448C62CF8E40E38F3AF692F631EADE3,SHA256=36611AD5100ECC791194417349A0B11B77F6411989048E6E8DA5EA1542FDD54F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.982{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65A2-6125-A000-01000000C801}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.982{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.982{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.982{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.982{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.982{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-65A2-6125-A000-01000000C801}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.982{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65A2-6125-A000-01000000C801}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.967{B81B27B7-65A2-6125-A000-01000000C801}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:22.921{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0CE1673B06362A153A4BF773D8FC1D,SHA256=B87BC04368221CB8DF747ED699340B480B93C65B7B2689EC5B32EEBCC01E7396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:22.764{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395BC0A22194F961021A3443C6ECAC8D,SHA256=81BC44F0DB00193D8E17F01EFD18B715C767397268B38206E79DB4F4004EF254,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:22.296{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9F11E0ED50D4587720DA6DBEF6CD520,SHA256=B3E38B8EE6E35D4938A542CE70DB8FFF0E590B14F07F4CF23049AF543DCED782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:18.229{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53882-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047959444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:18.229{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53882-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047959443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:18.221{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53881-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047959442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:18.221{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53881-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000030726524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:23.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E4070B9D306584DE3A0C69DCB607F2,SHA256=5D22D58373D0C2F435CA9DA38D1B80B7548D8147AA044331499AAF8372A210F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:23.905{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15CB931F04771AA3DE3755DB8A7A9C50,SHA256=6CD418799C240E817A25359EDDE4DA0F6B1AE286B6E23672F1E77822A0271AB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:23.905{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95E6AA8D4FD57E3C5840A31476C696E,SHA256=02B596AAEFB5768CC29214B79A4E766499639FD4D4D729250BD8DE1E75906C82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:24.000{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB23223527AE4AB202865B4149E83838,SHA256=0DB8B56C745E34755E215A7A220608BEF014FFC26F04105CB8300F67291CB94B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:24.999{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFA30649233B7B6A83FB9CF25963F34,SHA256=88465AFCD55D4861D7D474954A01125BB87A802A0CD5E342535619074E5DC0A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:25.124{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2D48FE2C5CBDA5E6FFE0BE8C6F1AF4,SHA256=C95EC1B6C2144DAD76D500C1F0A1C54954BFD3CE9A551AD74B24EC48A87146B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:25.046{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15C2725E474B86CD4B9AC4976CEDDC95,SHA256=4CC878F0401F9FE3A41D029E5C2AEAB57F205DB4C2334762FB149BD4596EDCB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:26.017{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19EF39A56BF9213D587EC190E5E7CC6,SHA256=3A454C44BF0794845345F4CB8D2A750E8435D80E557C7F50492F2A4886B0A306,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:26.280{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6198EE874A61DCFF215FCC197896D466,SHA256=9552CC1A040F292C7302D5BA4870B9F005B9BA455862DACD3F5110463D5F74DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:26.155{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7B2F49E5965AA2B8A3B8DA65CEB5BF,SHA256=0348F3607BCD9183F241666364D804B876164C904C265BFF26F1719C84A746C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:27.467{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07C3EDAACB814F3536AAE7549DBEA07F,SHA256=C3199BF91A08EE9D46F2292D9713013F88CFEF59B25099FA9D7F39570F250B9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:23.031{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53883-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000047959456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:23.019{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-128.attackrange.local138netbios-dgm 354300x800000000000000047959455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:23.019{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000047959454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:27.171{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11495E77FC7B9FA5CCF94C22E1D04E8E,SHA256=FD30E235C11A9182A297CEC97776F7630F1111EE2ACE1380457E50C52DA8BCA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:31.999{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58946-false10.0.1.12-8000- 23542300x800000000000000030726528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:27.019{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D05A62E06CD22EF340BBF46D38B5EBD,SHA256=94F32C991DC2C2A0F6258D7D7611740DD5A5BEE95156CC6513FD37F96B60E298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:28.624{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8076593F1558333BF08A85B8CC6A988,SHA256=F53B3CF865217A15D8892DF486FC675E90B8161D331FD027C9495FC7F61D5111,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:28.186{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD15EDBD08EA51ED7688B2FA7170E16,SHA256=9D1306E16D0568B9A041D5337AFDA45DABF914D4252C5580A6B8EAC5E0CA05D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:28.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD9BA3031648581A6220105F52897FD,SHA256=FE35FD61CE7C90D6999267ED201EB850D19D5B781251B1C162EDFD28AF10D747,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:29.655{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3EA130E76922C337A2431BDD8730240,SHA256=0B7273892F95B3CC82D7F4D6E937154251CAEA724D92D0805B60030DD37C8A9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:29.202{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB299D4E82C01DF3E6A30A43D07663ED,SHA256=7B6E01A1C1BAFD465C9376FCAD9098B2E428CCE258F11186889DF653E8DC7D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:29.097{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BD3CF9B9246BF3FD8355646BE95FCD,SHA256=B7D1111B4F2265A6548D80E51E2022D79349669E52F8ACED42B8DBC7D016766C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:30.116{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6D3375100231D43EB94EAE9BBA7483,SHA256=5BC80141FF06DBF715D62BF27789744F36BC50E8FFAD12349F650CD3F0CDA513,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:30.249{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739F6F8E4D72CC417820416138270BC9,SHA256=F6FBF6A2D3F07F53D2B4E87738790C0D3C58C2FF845CD490C305AEEC38F9AFE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:31.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7B7C41CDF2092285D4AB8CD6A42FB0,SHA256=10D0887E4AC2C7AA8EE88992F6454F1A4DCA06F0D364903A637FC696E17010B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:31.249{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838FD1046F4C17B8818A4FD905E6E660,SHA256=D8EA758CEFC583B7F258032E2015AB82477AD61CB84EFF6C4B26531B228A9619,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:31.108{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A17046B53D5BC9C93B5C6CEB3701860,SHA256=96DF0EFB62932D3F6F2764DD93974D58E63E7950CB4E2FFE72F4ADE2B8D1AFEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:28.938{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53884-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:32.264{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE50F08CDCEB9C8EF8529A55C11D908,SHA256=1B322DF4BAA92C95C664892152D27E9EBE4065D652031CE68605CD842B4842B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:37.131{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58947-false10.0.1.12-8000- 23542300x800000000000000030726534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:32.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6A0130AEE083B4E02049614C146954,SHA256=058AF4DDAEFE42201EAB0AFA0D80E0821590945A1BD9A50C382CE69AA874D464,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:32.139{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A74874DCAF0E143425DBDE9F7667DBC5,SHA256=3DDB174D87E0A467CE2DE7EF1145E79D25E41853B548FA31B8312A21D3FC70C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:33.408{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=752C829538B68572AC165035FA840E25,SHA256=349672FED4A89978EE89AEBC7FFE34C29F9C3919750345F651F133FEFF3D6CF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:33.327{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7B3D09B1CFD4E372032C79DE899FA9,SHA256=4283D6BD237D5EA55A8EB6C5B383AFAC4C98A08A653C029A7B089C595C5E6BAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:33.160{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A6D31B295FE49668E107262DBC0786,SHA256=0A6BC60C99BB7ED74094D0701BA072D77FFCC6342BD9556EE3DC9CAC037BE685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:34.561{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3497A159957653C104DD9BE6449A88E2,SHA256=700425ED3773D48FD0B4E5A07D0A27B8988D0B0D427EF5F6BF187408A8E10654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:34.343{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3E60F1BC0211EF5FCF816A962BFF6D,SHA256=045C71FCFAE4006376D4F057E4EC153E99ACF814452EA22EB18D2FB52F021DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:34.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32C025562D506C623C468F38DCEFC7B,SHA256=2CC467BC58640BABE5B0DB2BC7F4EDCB001A5FAC96CE2A4D9981504EC8423DD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:35.191{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10CA419D659A2F4AC029CAB91D1E83B,SHA256=E2FA61749F63B24105EE53985133DE3F460D45A3024DC60BCD611BBCC230EF16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:35.702{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60DA0F502C74182437CBCA5D3AAF473F,SHA256=E8EE3DD94EDD5A9708ABDAE933FC8AF785AADE2058E8A25D73590A898693A441,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:35.374{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C3D45F834C751483C1A655F0454E6A,SHA256=2FE57F39913D29B48636431FE1D39824D6DE2FFAB8E5ACFEFDB5F880E854CF47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:36.211{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FA4B1552E1D96DA2C7F505E14F7A42,SHA256=D84EDB27F08A5FE7CE9150371BC66E9F066712544214B1E079F4176B8B1DCBA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:36.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12DA1B46A16587DA2CC664A0E21B5E69,SHA256=628D2DDD0D8B1428D63D6AE0FAA2EEE0EB82D85823759936DE12285C9A1F82A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:36.374{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA6E88148274FF821EABF6CAE4AD5BC,SHA256=9B6AD0119F2328178B5CD6F41FE3E909A8A05418750C6EAB94E2E727D571C587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:34.048{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53885-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:37.421{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F9FA19B5C43A7C5BCD1D37C7D6DD7C,SHA256=16A4C328011019D77D99EBD0EEE00B15FC137A1BD170CB7CEF9912F5297B4AFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:37.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20CBB6F5B0D4C75C1D1BF562F40C6DE,SHA256=0175491C2576E6A7911786AC484C779C4DF5EF2F462AECF608D31A5A8E8BB7F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:38.437{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A555282D3A9C02D9EB193A28F3D7695,SHA256=26B36AE02B5AF1A69907BBA426F0800E3FBE09A6D6BEAB59009D1294FB53F78C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:43.007{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58948-false10.0.1.12-8000- 23542300x800000000000000030726541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:38.244{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1750660A9125658FC6810F1B192A7BA,SHA256=8D2F5D1AE0E3D1FAE7E43606E0DA13B2BE4A50CE4BA8E0BC3471B174E2AB1D63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:38.109{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE35AE67F6A293DC766DB4F5FF352FDF,SHA256=F57FDC60CB523021739D6B8D408A891D0139A9103505DD75C12CB76B25704761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:39.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A570D6AC1DDD9393A3A292F6D99127,SHA256=58AE68026B80B9EDF3D97AA6D85D1A5703AC7F0FE2CA7BC22BDA092F8B37F155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:39.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=263AC6E32594DBFE1D54D2F07DCFD787,SHA256=530C325241FA54B46952028A20DD35DA929A60058C464F50B2AC12E6FC1A8CE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:39.453{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED68C45A2421A0CB203F5412D745C18,SHA256=F286DB295F6F2FAFD3DEA08D1729FB2497E5F5C5F38290992AF5094F7CB0975F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:40.906{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0541C6C489CA2F300EDF7474DD4D532B,SHA256=E2F8F553002032C2965D31B1CE6F6BC86F4EDBF15C8B66C3F6B37E7DFC5F3E68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:40.468{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F0B8D6B247D2501A58015D23C829E6,SHA256=0BE7BD64486778CAB5E68AF525336F639017778C9D3F21F0CB1153D58C2C0486,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:40.274{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4046D3440414476A77CB6008C59FD44,SHA256=2A270833028795BC3844593C8BB07BB52375B259A1A02D84EC1B2AE53F7F35D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:41.291{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748D774697FB5A8D7153F12FCE782857,SHA256=584BFD909029923E51760ADACA189E3577A5B06360A7566CDC9522F73A3ABC37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:41.484{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66B4889229F55EC62AC637A29F2C4F3,SHA256=1291D09A1D1DA8E88BEF54AB1DAFDC28E627B404815EE84DE6A32D094ACFAD34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:39.048{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53886-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:42.515{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C2AB0C9DF942E5B2B6D302D0DB8814,SHA256=77B124BD51F830D729AC0C179298CB8899150FEF900BE98A9A11D55922A9AEE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:42.325{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBAB31DF602975CB741FC749CFC3452,SHA256=BC195C4552E42E2AA5AC8A72B09A9B378056B2A240A667700F2665982B2B61D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:42.156{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42CB63E5EBBEE55BBD930BDB96E8A737,SHA256=5E357F101A0B33671F8C35EC385612C2BAD5415497A030C0E1C94E970BA89CFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:43.355{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979DB0E933917AF5E3A30CFD23279116,SHA256=C00EFFA349DCEA45266EA0B9DECE9B98B8076F4F45D73832F89110CEBDC47A29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.718{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AA75C1E8F9F5BD2B4282037F5F2244,SHA256=8E7ECFFDFE589C788EC48FA548BFEE15C599E332A3949CAFB1BE36415CF64ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.593{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047959544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.593{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.578{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047959542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.468{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24EE5CF62C07CFBE31AB072A34A86E5B,SHA256=B2C9AA75B9E4C972BA7698C7C86AC03FD9391AC43334A451CB449BB042A03A54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.437{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.437{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.437{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.437{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047959508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047959505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047959502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047959497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.421{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.406{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.406{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.406{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:43.407{3BF36828-65B7-6125-8BF4-00000000CA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:44.388{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666D150B57075CD34538395731FC21BD,SHA256=AA1C1B653111EED59D7C5057C03771855F4779DC4C1CD0607C65010B595470C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.906{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC8FFFC4D78ED59AAE31EBEBE2F1E318,SHA256=D04EE8863167975D0757B2718157360B90B9A9924F94500338F7BE1F71AEB0C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.906{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDFE783F412574EEA1DB56AC9D9F840,SHA256=138E5262E39D157AFAE986E93D8132ED2376904DD04F103CC294AC54325E0231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.812{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047959665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.812{3BF36828-65B8-6125-8DF4-00000000CA01}38925984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.812{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.812{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047959662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABADF61132AFC509158A496C42E6BCFD,SHA256=1FE8E99702878ADFB74ABD3D725A6E6CCD85905559CE00390A96743233ACE22F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.687{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6F95479FE6E6985AE4891A7BE1F79FA,SHA256=06509FE64EFDF5F022E0C5009080B990C302FEB8CD3DD827E24EBD70F3C9EA8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.640{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.640{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.640{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.640{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.640{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.640{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.640{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.640{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047959625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047959618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.616{3BF36828-65B8-6125-8DF4-00000000CA01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.625{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0C0F12BDA8EFD5CDA0FEFA54BBE01D6,SHA256=8285B1572159E256452FBCC05F2986944DDCD78C1D58C7FE0B83E2740A5FBCE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.609{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=740729D4CA0F9E68BACE7FC29D056FC2,SHA256=494C0C162AFCCC4AB27E3A3673F13F7544E7D314E8C548A39F4CC5C2E6E6CC73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.609{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C67BA016546EDC45E4A399999EEC6B,SHA256=47B9965EF8748D646266EC9B91DE760CDE54DB37647B85F78F5496861B42C8E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.515{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01EEE2EE61F10E4B263436EC23816C11,SHA256=F8D206C7161F9E9377F54175902DA1602B90433F72CE40A82FDA9DBADC855B1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.453{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=180EB78ACF09E1DA02B5B4D38EB76842,SHA256=7619733921246A92FCBEEEC720EBF6B724740814A5C2714091D3108CEDE60F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.390{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BB8AF43FA6E58BD6715A9C6F350259,SHA256=A343E0A4085421804582CF64BA84D488A84A469DD63CE8D3460DB01EFC3E1E84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.265{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047959601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.265{3BF36828-65B8-6125-8CF4-00000000CA01}31524348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030726548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:49.043{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58949-false10.0.1.12-8000- 734700x800000000000000047959600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.265{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.265{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047959598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.124{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.124{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.124{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.124{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.124{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.124{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.124{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.124{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047959563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047959556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.109{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.094{3BF36828-65B8-6125-8CF4-00000000CA01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:45.421{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78462E4F8D535484CA152B0B4AAE7598,SHA256=7626816EA273DC82DB73FEBE5F5C01927CFED6C6711665F011AB78291A7EB3FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=486F5126CCE3F6C75B6AFA5E3F889796,SHA256=59E80BADE8B1607034C65A064F2D87F5271FF8C1CA6F105FC2EAEB8D0A93FDD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.640{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8028AA6919C42F9336D53D958C19AF,SHA256=50B28CD8A40A3D286C148C72A9A2297272B5127C6E3FF7CC11132A9A327DAE25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.515{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46F9ACA755188B050755DE1AC58549E8,SHA256=1BADE735804F5581C45B147BD12EA7FD423EBDAB521615A681E1CB6C7D218CE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.453{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047959726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.453{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.453{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047959724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.453{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35C0B9BEF1E9101AEA2FAFC0B471505,SHA256=242F628803ECA318CB83CC77A2A151A468AC25A6923BA44104B89D167625E4B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.328{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.328{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.328{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.328{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.328{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.328{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.328{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047959709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047959691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047959687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047959681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.312{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.297{3BF36828-65B9-6125-8EF4-00000000CA01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.093{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62617666B81B53E534D474D46021117E,SHA256=EED4DFBB6CA79B10B770A1C60CD8D69E13FD7E9F631C1863B6F4D2192C7BBBBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.000{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=761436843A429B0746F71F5884A421C5,SHA256=BC197AC0CDCCDA80BBB85E68CBCFF6A9BBF3AAD9F39820E689E07C2C66DE370B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047959850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.828{3BF36828-65BA-6125-90F4-00000000CA01}5976516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.828{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.828{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047959847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.828{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=393685A236E4A5DB710DC228A9F6413C,SHA256=36A811A62A564FB5BADA9A9C320A5CCE1A5F6F2E0C6858BB5ABDAC37AC32012D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.828{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BFD1819B191BD9BCD4C2C9FC22D6E2,SHA256=250B7C0CFEF73CB85FDA6EA5D143DD87DFEAAB3AA526E4D1C9619B5B1C5EB3A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.703{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.703{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.703{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.703{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.703{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.703{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.703{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.703{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x800000000000000030726551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:46.436{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53AE425A1FE4574BC8AB309D8A36AF6,SHA256=A701E7963EED15FED2568D58A79AEEF1F2B5321B66B2D1878DC70412131D89AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047959836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047959821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047959809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047959802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.687{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.672{3BF36828-65BA-6125-90F4-00000000CA01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.468{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0404F4BB3AB8A18154D35517B596E82F,SHA256=7F2D15BF1379CC45051E93CC6B50F24FB629A473AF0AE1C9358CD51365110F4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.156{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047959790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.156{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.156{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047959788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.109{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCE7B8F7D82216147653DCA13BABA6F,SHA256=C9A68136057574EAC2E1AB8C482C1B31DE123C65B8E75C246E3AB2C401818F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.015{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.015{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.015{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.015{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.015{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.015{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.015{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:46.015{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047959778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047959763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047959756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047959753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047959752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047959751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047959750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047959747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047959744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047959738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.999{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.984{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.984{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.984{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:45.985{3BF36828-65B9-6125-8FF4-00000000CA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047959911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BCC3D88BB856901CAA45279F769F0BA,SHA256=C4FEDEA4F46E691B09E0C20C4062D9CAB8B7FCC6C3F7C3C8F6F4768D18BCFD29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6C012290898E571C40B754D792BAEA,SHA256=E9F802EE2534851C61EF1C4CF1E7F79FDFB5DDDEF98A5DBB72DDEEF2B2A7DC11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.546{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047959908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.546{3BF36828-65BB-6125-91F4-00000000CA01}6442764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.546{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047959906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.546{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047959905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.453{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C151DF40475D590ACBC893FE276E2CB6,SHA256=88C3C662A31DC423D0CA7C62FF8B017F2A75E23D86687DD21C90B3DA049C2124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.453{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC08F20733A90D9B86ABA16BA067566F,SHA256=6F8BF122730F9D1E2747422F8354D82E28975E3E5795D3AC7D45E91C8972B2F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.393{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047959902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.393{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047959901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.393{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047959900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.393{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047959899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.393{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047959898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.393{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047959897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.393{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047959896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.393{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047959895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047959894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047959893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047959892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047959891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047959890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047959889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047959888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047959887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047959886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047959885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047959884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047959883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047959882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047959881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047959880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047959879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047959878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 23542300x800000000000000030726552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:47.450{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EF0E07927561FF7E040F06D5790852,SHA256=CC0583AA162969041AE3B1AD00C4BD3FC9139F5546D3594753A772FA33796540,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047959877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047959876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047959875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047959874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047959873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047959872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047959871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047959870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047959869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047959868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047959867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047959865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047959864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047959863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047959861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047959860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.375{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047959852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.359{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047959851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:47.360{3BF36828-65BB-6125-91F4-00000000CA01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047959915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:44.923{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53887-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:48.859{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178EFBD474C451A8D26C41D4D8FBA6DD,SHA256=9EC9B2EBEBA0AB58D89028C4A716935726DD143CD0AFEB4660D9EC567F59CF25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:48.796{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C4185C96DE06A25F0AB62E3F3124F72,SHA256=5AE2712AA48447F5D0E82AF40EC0257446CEB0167EC9A0A4032F8E7051ED7C4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:48.437{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C45124828B3F81996B7FB0D91CB331E,SHA256=7787D04AB505B529DD76485221B59339388EC5CB931714046214D7177FDD8ED3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:48.465{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D589D75AA2D4BFFE7072DE1E808FEB70,SHA256=7179CB92F727F9678DDDB364F89B67EDB339CCBC411218014B930DB51C2214C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:49.875{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6B396E220FA99C5181CA9349C26AE9,SHA256=B35A363B58C3F090D27D49D7BAA2B13FE803C3B8E58B16965BE958A37F513E96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:49.481{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3561F64E4ADB35BFA611BDEE1AF5398F,SHA256=503FB7AB8B9D9C81944B2EEE63A1844974203614E41C2EEBD362B2C0377FDCC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:49.515{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0D3C85F2D739F914AA28B589E8DCD9D,SHA256=A5667DF267C3E7C7CFE71DF2D6D73B40234737E9FA78483BF6038819C2072D61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:50.875{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6632FCCA85CDA8C967874499056717C,SHA256=95A39B2D3324C9226B84CF0EDD7E0FAE02B8EDDDB8758A1D86E9B36C0D4B2124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:50.485{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E8CC366FF90FCA6B751090290775C5,SHA256=83BF6EDE7599B8F5A5239BF99AB3A6DF0801097CF2B80D9AF2A25668FA43BC43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:50.515{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46255DBF08F0946929125E066048738D,SHA256=4442FB8043E1FDB783B9DE4BE639519ED6D17D05F03BCB2828F4A0050FE56D81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:50.140{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B4DFB9B7138A11841D60087B34F46BB,SHA256=FF41A5366101134A0ED34E5A78C4965341DB1196F5FEABCCFCA09B2B90851E66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:55.052{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58950-false10.0.1.12-8000- 23542300x800000000000000030726557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:51.515{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDCF3F8C6D5088254F229F03716D6BE,SHA256=2839FF09D5D6E8E9D44393F3E59F71A858B308814E3005241D06E58710CE7642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:51.500{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCC76218CCE575A6C7D5AE456C133B57,SHA256=24205242494769A7A48E0EC20406685125B85C9C610C50B110181377D3BD7C69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:51.140{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=934AA6B8939E71978A90E151F97C5427,SHA256=7C7EABBD4F8CA1BF54840D2E458423AA15A67DADA49D52E741BB5DE66DDAB58B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:52.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38240033AED62B0A8C68299D31587A75,SHA256=D134F533CB0ED8AE980DFCBA51E5D8F84428CF25DAF8CAACA9EF9BB94575F15A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:52.125{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F4C03DD36C9A73BB6F81765B5FE7DC,SHA256=A818516BE99C1137CA4C89EC8AB45DC5547B8F6B91AC90638794C1889E720BB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:52.125{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD688556B0BEFA9EEA4A73D531EB6AD2,SHA256=50F729D98371CD0ECA33157893BF0A681EB8ABA0732E51BACF550E2866F2BF44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:52.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD0DC107CFE3B257C91BD4FEE6FED1C,SHA256=17FF78C5C2DB24B967CEDA9269051F03759268EA6A13C53E53574AEBE356C79E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:53.579{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F00ACF760B793FE52C63686C4EFCA40,SHA256=E1DEE9141388287B33ABD258C3D9367E67AC89C6F15BAB1F14EB4C02C8FED151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:53.781{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E232587AD6DAD42C2F540ECA30315F4B,SHA256=11DEC5310ED9C1FAA46AEC6428ED4228ECE2A10B8CDDF7811DEDF68898F0F6CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:53.140{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07132B81F02E882D63F2D4F2FED68754,SHA256=1AE52A28A4625757ABE6F2EFF1A5B02CD1D9FD471C42489E95569939104F2393,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:53.125{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A927BDE682B4B57C7804D3500F9B4917,SHA256=D5CD7CBE952D0E05283012E01CADCA16F5C9369ACE2EE1A31B32A0CA93D835AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:53.109{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA9DDDD6B0C5BAFD492ECBCB68EA2E3F,SHA256=342DD8C1674930D7FF407F2A579CE9CDFC2709D5EE6F0C17BA9E978ABDC40E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:54.597{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156E142403F2D875AFAE3CE5813CB521,SHA256=F183149F5868D11B6B677D1AFAC1E9ECC654487333334BBF851E7D0C7EBD13DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:54.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E1894BE7A908AE1B73576E98826CBF6,SHA256=AA2823FBFBC1D5ED798E3AC5D7C14C3CC6A8D75E06DBA436A8461EF5A3BE6BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:54.187{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC78240135B0C6733EEE7839A57703FE,SHA256=D5A6D59A043908B3E8ACAC8FD381EB67297995D7C04C020EB9CF390C9F8664B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:54.140{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C887CF72CE62BDD27989A5AB9CE6600,SHA256=1B5F985093B0B07E54F909FA04560124F96E5697EA41E07264D66621E0FF90A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:50.096{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53888-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:55.611{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F9544BC88CCFDCDADEC0D2E0672009,SHA256=27FE224FBEE424D14EC7CFBDD778CA2707FFB9FB5C26661A7575B92108B14B78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:55.859{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316F54B4310498EE6434B92882640905,SHA256=F034E377EB3E9E9E089052AA37506C66649A5F31C4184E3E9634CC7DDF141485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:55.234{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C54CD3B35AFD8A82765764D31F70F4FD,SHA256=3D65F5AE60DF44AB11FA757FFCA38B51CF77D300A68A2834B0166A58194C4722,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:55.156{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BB77BACD7F834CF1BD332BD1D2FA9D,SHA256=AB7A79730C89574471CD49127A1CF868D305A470C50DB506B7A158CAE69F2450,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:00.132{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58951-false10.0.1.12-8000- 23542300x800000000000000030726563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:56.642{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EA2F75957E856154DF84DAF5E3D7CC,SHA256=CA885AD72199E7A82B622F8BD92A2F1B5FA525A65E12C5B3BA3DC1E9F3EDDF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047959950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.843{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047959938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.484{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41B23DA4976811B71B3908BBEC9607A3,SHA256=B566266BD2481F50A7E97F03E9C72E926E049AB5DBCA83694E0B97D75A39D00F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.484{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6155EE582B6A3B8D251D1F52BAA44CE,SHA256=D2989F0BF30C48DFF9B46A7966C28346CA4A397818331DD713522A78B91C5497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:57.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABBDCCEF175E6300826C1C2D19C06B9,SHA256=36DF9EF6ECCDCBDD6B6DC76D7CB8637AB17A392D112DBDA23A262170B9AF9587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:57.625{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA3D5D1C69BF37F09656CA7D29BE455D,SHA256=B012ACFA4BC8A73FEEB962EC4AC5054ED38B69EF0A224F229050AEFA80070768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:57.625{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0AB6D19A25860C749E408AF55B921E,SHA256=BEB3559A8CC1017046DDD54AC081DAED6BC920FEAF0ECA04FEB2977A39D5CF8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:58.875{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7223D1B740BCB261B18F9FCD8222C8C,SHA256=FD6CF7B85FA185689326D143826BBE85FA6CA68FF0610F6573FB795A3477D1DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:58.734{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CC7292D265F8A3568BB6F2F6F329B6,SHA256=6C96FCBFBEAE5514D9288979A207A9A62EA465237D6F79150BD29080F2AE4AB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:58.697{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF82C61CFC1F3E8C55E8EFEE32E7FA1D,SHA256=8BF43293C2AA0FA17F35975D9945EDCE43B7ECC6747F00A5F5231FEE49F07C2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:58.250{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A9752904230D4E2135ADFC6E7B66180,SHA256=FC75BE2F3C616FB830E8BB863A6DF1F5E4D4C66CE9D1EE78C6A611F28432AD9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:59.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA48E25215FAB7869A6ABAB2F963AD0,SHA256=2A7C77E6BD08308AC5A77DBB2B1CD336EF5EA1847D60FB34976283DF78698911,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:33:59.711{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A1D132A68D24B9437942F84886A4E8,SHA256=26D4D6F8D8524724F2055FAD181D7D9BE2E30D9FE41DA54D0AC4D684BCADC2E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:00.726{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB216C4A5318291605C86EF7F14FF9BB,SHA256=19B6226AD6DC18BC20C169AFF8BB7D7D48469675F4D1C4B88E1D42C15606A6ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:00.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A20BEFE1B9E4FC3A084C36018665D0,SHA256=EDE7AD995EC900E1CE7390A71186A2C2C5947D354FDB34A86600904796463585,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:33:56.001{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53889-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:00.015{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A14E591FA6622C5B9AD897F3D01FE91,SHA256=58364E147E1392BC71C1CA3F4518530C4CF4451D9CCAC82315DB2015B96B871E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:05.977{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58952-false10.0.1.12-8000- 23542300x800000000000000030726567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:00.195{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A436E8640FD2EF3F1DF2E503FA101838,SHA256=CEB26AEB408FA87A439616B260F6C17EC4B9E978F1432552C5CAE2FD196BA92C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:01.740{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C78348A573CE7167BFF2ED53EB4598,SHA256=01B34331D47F57C95E1997B6C586D6E105CAAF356EC6E0E45B0FC0AA24C2B880,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:01.765{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62496661B323F655728A2AD73A21B1B,SHA256=195C63CFA00183E5D6FB67C7E44ECA1919B9C97ABFF6EA6A61EFB1435E0D9CED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:01.031{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39DE4675C5E886D9AB7022FF8DE50DC1,SHA256=20D8A3280CE9771CE08A05B73FA3D9DD65BEF0037C32E26E2901924408181BC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:02.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E94565F4FA7354852C7DADCD9C4EFA,SHA256=27FC82545F390EED90D8F6412A4DA58283946959153A0F353A57F35F0C145EF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:02.781{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8118F847CDFD75EA76E4BBE83CCF607,SHA256=6FE090A42D7D224F5956969B64C5663839041429DB4FC933A88806A6C345EE78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:02.234{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F134135FBDC447F27A6F240C53139D61,SHA256=868B690E1859BF60D5A1331CEA6FC264F7FE29E50D79F2C7A312DF2DD3E1978B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:03.797{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567DF4BE621F459EE3DB99F8EE738C28,SHA256=E97F66AC63FBF9D09ECA368B0193B9ABEF406CD6D07B12E8075FA7F8FD980DBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.907{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65CB-6125-A100-01000000C801}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.907{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.907{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.907{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.907{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.907{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-65CB-6125-A100-01000000C801}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.907{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65CB-6125-A100-01000000C801}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.892{B81B27B7-65CB-6125-A100-01000000C801}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:03.807{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB36A1C720EAB0B529D9CFD02EEEBF69,SHA256=026A2B53EE44C16302092B6C45EC84084703B8FB881F877AB4199A2D65377A6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:03.484{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AE5A1D45A68172A7C66867C370BB1F3,SHA256=FD3F29B87AB6AAD8E069155B06086F6833EC343D535AEE0C9F38696951B8D1ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:04.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BBEC02BCADA42EE26CB2411C30459D6,SHA256=99C6EE2E76C69A2CDC121EC589839145EF9B3FFD3C903AE251A3E865A35C331F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:04.797{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6299F4AACBE93699AC36B61FF507E233,SHA256=EB4799868CA11EE72C8424453F73A85C4E053D3B807663DAE801FBF7196A89DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A31A63212B8427A59CBF16CB2F3CEE5,SHA256=74834725B27395442D47FE0BBF81DF4C7C163CDA0FA4C50F287AD0BB2D915004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BECF823173D766B1A76DD016023D7A9,SHA256=0BF55C2295F8E94330D923E9CBDBD7848CF9442A373250F82A2A6C22A5D775A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.838{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4D2236E3661E9F6FE2A8086CFE1AA3,SHA256=A795D6153F519C43F1F99B70671ABF87BAB60E038B26A1B03377D6835C04ACD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.591{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65CC-6125-A200-01000000C801}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.591{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.591{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.591{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.591{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.591{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-65CC-6125-A200-01000000C801}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.591{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65CC-6125-A200-01000000C801}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.571{B81B27B7-65CC-6125-A200-01000000C801}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030726581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:04.076{B81B27B7-65CB-6125-A100-01000000C801}46442000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047959970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:05.797{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDA7AC0EFC1AFEBD29D08C48BDD3676,SHA256=54737DD9BF92931E5797891C23F142FC40C2F035585B10AAEE0BDEC82C90A4E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:05.853{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88C2F247AC2C8DD32F3F952B66FCC1E,SHA256=B930D6B5D9476E2D9F893398E6F0D867E5249EC0D27B5C39EA6A7D40D0D65AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:01.908{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53891-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047959968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:01.908{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53891-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000030726595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:06.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC36847DAC2E99EA87EFC2412DD70C2,SHA256=86C313919F70A5910C5551B60C69216463E9B0D8A3CAB51EC0ADBED865FB9ADF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:06.798{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A06257F6053C0523D3DA813636CD32,SHA256=74B60857126A89476369CA3D4F94F299F7D9654A6AB81622BB6EB5188CCB2418,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:01.913{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53890-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:06.032{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1D7BD6966A461BC6EA8064D4EF63D89,SHA256=BE643C9F862B3CE2A4317A9A49FC64A3AD8ACD252F49B267CD85C6B0A4C518CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:11.125{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58953-false10.0.1.12-8000- 23542300x800000000000000030726596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:07.903{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFCB184EAC58921AD1455A371AC1105,SHA256=09FC352427F63B81103406A07A8BD119E023EBA65B79E14C88447801638AA596,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:07.799{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F456F6B33733A87D6D6FE4DD8C537B60,SHA256=A6ED280CD4FB054F2A60BE6D5CF1ACED7E0C87BAC34CCF8929BB98D634485D6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:07.143{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAAF457967482DA3555A8BEC1CAC256,SHA256=1B5AEBEFECAFB4578E670249500E5E94E1235A18C2796C7B53A573D1BEE806F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:08.803{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFF0023F3D5837B449779C1E51481CC,SHA256=DE3B1203E9EF42D61BFCD73BD3735601D834D507AAC7E455C79BA19B6830F7BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:08.935{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BED1970834F41F42255DA97C8B42C93,SHA256=C60423C621DBB02B9E6A7CCC586C2D4B4B31FB5F8D9E54109BDC834C6EBEB65E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000047959986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047959985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fd35af6) 13241300x800000000000000047959984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79927-0x63693c75) 13241300x800000000000000047959983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992f-0xc52da475) 13241300x800000000000000047959982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79938-0x26f20c75) 13241300x800000000000000047959981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047959980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fd35af6) 13241300x800000000000000047959979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79927-0x63693c75) 13241300x800000000000000047959978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992f-0xc52da475) 13241300x800000000000000047959977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:34:08.522{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79938-0x26f20c75) 23542300x800000000000000047959976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:08.397{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86DA093839EF32927FAAA367670B0A73,SHA256=1E92875DE79C24A38B1D77974D87FCBE738AA3C2CCE9E6E14A330DA2C69EC749,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:09.803{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECB889F1212B2745A2E935125BE91BD,SHA256=A4DE2576F365DAFB086A7045480A43EFEFB83EB8C6F32B62976FA95CBE348C16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:09.949{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC1C2A6C12313FC8BA6EC38FA4EB70D,SHA256=ADD27FD720316FC5F071869F04486521E1E51D8E9E975413CF862544D158DFE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:09.553{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B45C898B78BF3D48B549E606FE7CD4D,SHA256=E4E2066E7E561A01CA17B6C25EE2D95AF01AC5FAE3EDBD6C9400CE50AF8D7C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:10.819{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672F33B3BC7376915A6B27FE2D94F234,SHA256=01781AC03F35DCF9328B1F5E7F62CC3319D0FC0C8660AC4B7F4717FA5D37AE13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:10.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40F5058B410CB92D63A9AC6F0F237C2,SHA256=390902C4F9D96A712D3BE5B9602850A2129184E1A6A2E711DB8011458F777174,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047959990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:06.961{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53892-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047959994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:11.913{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8BD7F12DF73E326B3A5898585C3E7A,SHA256=EBB5480775A3676FDC5759B9280D06A75EC8368C268CFFD9F25A30A60217A657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:11.968{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DD5AE64572C68814BE169ADBE20D37,SHA256=06DA4D5CF60273B42A9F2F6D372E4F933BA1DD751823F773E654EBF4B3ECD5D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:11.788{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:11.006{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3854B9A64593873DA6800C79132B06C,SHA256=889047794BE81A46EF3A94C8BBC87AA6920C971F80198256AE46998230A9B201,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:17.098{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58954-false10.0.1.12-8000- 23542300x800000000000000030726602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:12.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0E31EF72BD91FA955E186DF9DB8740,SHA256=6DB396CBD9F531857767636201C6DA8A17D5D60FB2153E4CDC5EDAC0C36AEB2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:12.913{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614F4D2380A3C5AD3F5D96BA01A60B8C,SHA256=25D87134950A2501BACF32C1A48DE34EC7F5F22FCDD2FDC935C9824FBCA4C324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:12.147{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F3D3C4687FCA9751F29B3807E3C5FCB,SHA256=B2BC61ACE81F6CC2C8863233C328F7AFE70C2037B0E331E29CA212DE866397DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047959999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:13.928{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF6F49D8E49E1BB692ADC0A95276F3B,SHA256=01AA83A834D29687DCF43F92C164319C16C218B820036910A63D2F2ABA052DA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.483{B81B27B7-65D5-6125-A300-01000000C801}10406564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.345{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65D5-6125-A300-01000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.345{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.345{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.345{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.345{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.345{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-65D5-6125-A300-01000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.345{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65D5-6125-A300-01000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:13.330{B81B27B7-65D5-6125-A300-01000000C801}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047959998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:09.602{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53893-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047959997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:13.303{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89137BAABDAD4649911BEE92DE4F70C1,SHA256=A7817E2CFA70F78CECF0D7964101015F0E20F3159E47D2873E058756F4220222,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:14.975{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839678B9828D312644B32AEF78D3C5DF,SHA256=4B71EF756FF8B029E77EFEE5A45B95658DF374FD55637E4415BB11C6692B21BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C16787B75AB89DA9A1258C470AB82B09,SHA256=4A5F9393C61DFA4C93671559F39BB79CA84DBB2BE8194666FE3D9307868F9DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A31A63212B8427A59CBF16CB2F3CEE5,SHA256=74834725B27395442D47FE0BBF81DF4C7C163CDA0FA4C50F287AD0BB2D915004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.029{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65D6-6125-A400-01000000C801}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.029{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.029{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.029{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.029{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.029{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-65D6-6125-A400-01000000C801}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.029{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65D6-6125-A400-01000000C801}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.014{B81B27B7-65D6-6125-A400-01000000C801}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:14.014{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3197DD653595B5FA8B966F764EFB2F0F,SHA256=5573FB625498E5037933286A0042D9AE4A6D5B7327AB560EF19EF28B7FD1C375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:14.460{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5FAACF312D819F82EC92D2C39FCDA93,SHA256=77DF8B5F64B47C08158D949597076044DA59C9861CDBD7341AED2E37B67D3660,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:15.678{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78914F10F1A3C50BA31E01394039A1A0,SHA256=87EFA44040229B1B9DF05D7C92CEE6F4A9C44AB76918B3185CEB5EA2C1093764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:12.039{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53894-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:15.028{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0413959E053FEDC90979086A8FB71755,SHA256=C26E02F23074F67CA250D5AF28B9036E4DAB2E47579522ECEFADE518A93DB203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:16.896{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC8EA49D4E64D20D2C5323BBA1836F43,SHA256=D426266CF4050C0917DD9CEAAB5644AB79A52496F1A68BF1D7B84F3C383D74EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:16.006{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B88460C20A8D9709A66B1D0F852617,SHA256=2D039257557D2107FB6CA99DF9F6237F582C1E320B69005B6886DA17E14D04BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:16.060{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AA70E56FC4C3A01E5C23EC613F33B5,SHA256=018D24152927C0FE83BD2DA526350C235A1E16C3E3A3D73E3EA5402A6B8600F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:17.021{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C12EF9D082D53F13341F929AA50BF6,SHA256=268C03D1E7AB93B744EB2EE231519E96395B5065C71EED9E104681710988668B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.146{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58955-false10.0.1.12-8000- 23542300x800000000000000030726625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:17.079{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D20BE960AEE0488139E8F34FC074AB,SHA256=7EFEB902C8875EF22602ED6104B49A53B5CF37AB9A7FFEAD926F50F9B3FC590E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:18.109{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE84C6C523CC76B531537F2FDAC53B0F,SHA256=28959AB1670314D94267FDD7AA56C1C5B3C8FB54BD0A2174DE4D5C5052ECE705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:18.568{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=548B16595E1709B5424F423B792EC373,SHA256=0EFB7167340C7021B52F35A3432BA9E7453D9C0D843B408E2CCBAA9CA5BA4CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:18.037{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E12A4DC60F30CA94E58AE3D14EF0D00,SHA256=F44EBABE380C1BE50BA5CBE5EF0C8B26124E4C1D827C33184CABA387FEB6B6FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:19.724{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7E781EF0BC6D38B971DB8AF001D1BA5,SHA256=85A31E73C64618988F7D76F925171C0971E116CBBB1F40F03F805FCECF5DBB30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:19.068{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63928AE1CED4B8572ECB8C773A1A92C0,SHA256=B9BEC0AF6081D242841A82409E300584724079035483A86027C78D2F9532B3B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:19.457{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:19.456{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=873596ECCAE02D8DBFA4D711781971DC,SHA256=C5CE827396B0E4DC8B8FF72924CEB37FC4D90B83A09B05B87A8FF1A89CC79849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:19.408{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:19.124{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634EFFC6E0E49252E73047EB0A05F4CA,SHA256=43D508D49DA19FE35CCA6F2BAEFB21BC90202E1160766D40F0B9BF3648D71958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:20.927{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D558E5E71626C7948B95BD6F23D5F721,SHA256=78ECA30BAFB9A40636D447882E9CD9F0FAEB82C2DE5411905FB397FDF408245E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:20.490{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A7D14F2BC4FE1525CB7912DCE6D5107D,SHA256=E92E211597E54CC4660A61D1E2E751682A00C47470FE5FB1A38F0E1D1C143C8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:20.084{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E671F85786DD1A62A4E0D66DCCF1AC7C,SHA256=0A0537BB0E0DEBB7936C8C66726AF1973830170CD9F25842807237C582A214DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.922{B81B27B7-65DC-6125-A600-01000000C801}42282820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.756{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65DC-6125-A600-01000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.754{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.754{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.754{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.754{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.738{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-65DC-6125-A600-01000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.738{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65DC-6125-A600-01000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.738{B81B27B7-65DC-6125-A600-01000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030726641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.223{B81B27B7-65DC-6125-A500-01000000C801}50684740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.138{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D3814A7EE980D74992E44B61DD9767,SHA256=E53C16D88384B30757184D1C47AD5665A7FB0C59B67129829C01D86497B0AAD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.060{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65DC-6125-A500-01000000C801}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.060{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.060{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.060{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.060{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.060{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-65DC-6125-A500-01000000C801}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.060{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65DC-6125-A500-01000000C801}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:20.055{B81B27B7-65DC-6125-A500-01000000C801}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047960015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:17.882{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53895-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:21.084{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB814CE7082D9D7E8D6CFC7DE10C4D6,SHA256=C512676EF246CB4E270496C2A873A3898027F0B965700BB91CF93FE37F98A9BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:21.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C859C1135F4E984A9F3C6B25C74D4560,SHA256=1A034FA84BE589069442B2415AEACC93C7FA68C9B8BE73A0C59EFBEF3B962C65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:21.075{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFADFE8D98073E366E97CD689E203343,SHA256=DCAC7B582DFBAEA29CAA8383566ED9866508166FB1220B3284EFB11AA82E72FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:21.075{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C16787B75AB89DA9A1258C470AB82B09,SHA256=4A5F9393C61DFA4C93671559F39BB79CA84DBB2BE8194666FE3D9307868F9DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.989{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-65DE-6125-A700-01000000C801}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.989{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.989{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.989{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.989{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.989{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-65DE-6125-A700-01000000C801}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.989{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-65DE-6125-A700-01000000C801}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.974{B81B27B7-65DE-6125-A700-01000000C801}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:22.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0854BFD3772175ECD9D5F4A502E49D42,SHA256=1427587D737224CA0270621204072A4DDBEC7D364A92660650C1FF150FC5BEDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:22.349{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86691699A096A05F0AE3A516B9CAEB31,SHA256=7374851D7C4415D1F7EE4AD5D18CD21BBAF8D997816151A48738952320CF4EC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:22.084{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C2FF47136E12897B303BBF9A2E3F7E,SHA256=98462A8117637D7D93DC0FA71251115860C64EFD14F9104C4E3CF14B35DC3688,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:27.157{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58957-false10.0.1.12-8000- 354300x800000000000000030726654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:26.335{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58956-false10.0.1.12-8089- 23542300x800000000000000047960019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:23.646{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFE907F3C5867F8735ED728D6D4609DD,SHA256=32B1C563BE048E55F96D09EBB38617D5974ED1C4F83D21FC318907B6D96825EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:23.099{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2263D6CB5E58D083F4BDF850BC5FF71E,SHA256=4F1E10340326DEA8AC59632F505EF872D27411464833E98AE0DDCDF773E7212F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:23.987{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFADFE8D98073E366E97CD689E203343,SHA256=DCAC7B582DFBAEA29CAA8383566ED9866508166FB1220B3284EFB11AA82E72FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:23.204{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B022B790A76540322EEBEFA0B2A76D6E,SHA256=D241DAAB6144EEDB12E1E6C38ADBC38C4E66CB6C53260BFFC1B7582DE13C0BE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:24.218{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E680B59661FA3D8C858A77219485C8E3,SHA256=6BBFB445B9018609BEE670AADE1F003A5C67EDFE4E0BA9F85AB20C8B9F1C3A80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:24.771{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=870B665C4D6186EF6F700844D592AD2B,SHA256=BDF2EA5DA3D8B426E99A5558CC114197F785672B8A364DB3EC2AD20A43C592A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:24.115{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACBBD8B1B9CF6F45746D343AF032135,SHA256=E3B88F58F9C73291E0270E20A9F1E47E9E06ECE774C37321827F37F2DC64E75B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:25.233{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAF03740274B9A4E47580F7F63C33F5,SHA256=BD1DD6C80A45994F6D1E5DE46D8B84CACCB76ACC5CFF33A07AED367C34406DBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:25.162{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60326C6D9B382824128113091618F15,SHA256=3B7785B71DEF7734F928F72AEDDBD414521D49B7AE478F7F53C741C1680708AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:26.800{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:26.300{B81B27B7-5BF5-611D-6D04-00000000C801}50044520C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-5C05-611D-7D04-00000000C801}7108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+121a54e|C:\Program Files\Mozilla Firefox\xul.dll+12bb468|C:\Program Files\Mozilla Firefox\xul.dll+29f3da2|C:\Program Files\Mozilla Firefox\xul.dll+478adb|C:\Program Files\Mozilla Firefox\xul.dll+d52d91|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+418ff|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e|C:\Program Files\Mozilla Firefox\xul.dll+12092bf|C:\Program Files\Mozilla Firefox\xul.dll+3f67e|C:\Program Files\Mozilla Firefox\xul.dll+3c7ca8|C:\Program Files\Mozilla Firefox\xul.dll+3c68ff|C:\Program Files\Mozilla Firefox\xul.dll+39d1b0a|C:\Program Files\Mozilla Firefox\xul.dll+3a6ebb7|C:\Program Files\Mozilla Firefox\xul.dll+3a70129|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c548|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:26.300{B81B27B7-5BF5-611D-6D04-00000000C801}50044520C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-5BF8-611D-7604-00000000C801}6296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+121a54e|C:\Program Files\Mozilla Firefox\xul.dll+12bb468|C:\Program Files\Mozilla Firefox\xul.dll+29f3da2|C:\Program Files\Mozilla Firefox\xul.dll+478adb|C:\Program Files\Mozilla Firefox\xul.dll+d52d91|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+418ff|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e|C:\Program Files\Mozilla Firefox\xul.dll+12092bf|C:\Program Files\Mozilla Firefox\xul.dll+3f67e|C:\Program Files\Mozilla Firefox\xul.dll+3c7ca8|C:\Program Files\Mozilla Firefox\xul.dll+3c68ff|C:\Program Files\Mozilla Firefox\xul.dll+39d1b0a|C:\Program Files\Mozilla Firefox\xul.dll+3a6ebb7|C:\Program Files\Mozilla Firefox\xul.dll+3a70129|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c548|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:26.300{B81B27B7-5BF5-611D-6D04-00000000C801}50044520C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-5BF7-611D-7204-00000000C801}5572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+121a54e|C:\Program Files\Mozilla Firefox\xul.dll+12bb468|C:\Program Files\Mozilla Firefox\xul.dll+29f3da2|C:\Program Files\Mozilla Firefox\xul.dll+478adb|C:\Program Files\Mozilla Firefox\xul.dll+d52d91|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+418ff|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e|C:\Program Files\Mozilla Firefox\xul.dll+12092bf|C:\Program Files\Mozilla Firefox\xul.dll+3f67e|C:\Program Files\Mozilla Firefox\xul.dll+3c7ca8|C:\Program Files\Mozilla Firefox\xul.dll+3c68ff|C:\Program Files\Mozilla Firefox\xul.dll+39d1b0a|C:\Program Files\Mozilla Firefox\xul.dll+3a6ebb7|C:\Program Files\Mozilla Firefox\xul.dll+3a70129|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c548|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:26.300{B81B27B7-5BF5-611D-6D04-00000000C801}50044520C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-5BF7-611D-7104-00000000C801}5384C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+121a54e|C:\Program Files\Mozilla Firefox\xul.dll+12bb468|C:\Program Files\Mozilla Firefox\xul.dll+29f3da2|C:\Program Files\Mozilla Firefox\xul.dll+478adb|C:\Program Files\Mozilla Firefox\xul.dll+d52d91|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+418ff|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e|C:\Program Files\Mozilla Firefox\xul.dll+12092bf|C:\Program Files\Mozilla Firefox\xul.dll+3f67e|C:\Program Files\Mozilla Firefox\xul.dll+3c7ca8|C:\Program Files\Mozilla Firefox\xul.dll+3c68ff|C:\Program Files\Mozilla Firefox\xul.dll+39d1b0a|C:\Program Files\Mozilla Firefox\xul.dll+3a6ebb7|C:\Program Files\Mozilla Firefox\xul.dll+3a70129|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c548|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:26.249{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F576BD7637BFDE327206A6FCFA2BB55E,SHA256=CBAB9606B16C1808752693DE271A014B4833C148D38AF672B1941F1C4CE3EF7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:23.007{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53896-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:26.177{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976EB3A2D48B175B523182307BE93FC5,SHA256=6D4D1FBD07120959938025C80B9213AF68CD3B56A3EE0A454F7A4178B5CD5A1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:26.084{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B5AA4DB0694B7295EF042F1DFF52FF7,SHA256=D603F11FFDDA786F9D79322477EAA4B9DEC09F077F101AFCDEE711BB2D0FB9E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:27.315{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE4CCF7B8F3A0E8E9A11F8FA2D92ADF,SHA256=0DDCB6CA4D6E24D3635EAB8DEA557350E247F2F928C3F5EEA1ACCCDABBA46835,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:27.349{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A17760173F10CEF37C46D59CEEB75F,SHA256=6FC47F20C1BCB7BA1C76D7647DB3DCCAB80D679D1AAE25F30A4AF6854648EC7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:27.177{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141676546DF803B28F2A83D1F7734567,SHA256=0B4FD40DF15E29AAAAA9A98ECC2A330E3CFAD04256A6F1280629876B47B5F2AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:28.330{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B08482863328010176B24678357ED2,SHA256=A703B3F225BA23297DFA1477DF5D14E16B6EBF81848B391CD6ED4072F223BFD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:28.599{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40C666C0B97403304532B81C3692BD3B,SHA256=379AE2EB061FF4007DE744C29BA3A9D842E37F6C69FCE7868F431AE8B513A348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:28.224{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A441B6C05CDC50D8B074CDDE71E74A2B,SHA256=2FAD317431CBC07BF60662926AE3C27EA2233EF941D32BFBB871E7AFF212B62D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:33.035{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58958-false10.0.1.12-8000- 23542300x800000000000000047960031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:29.631{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=911436D09B7BBAC9854B7FA8BB8067F8,SHA256=84440ED939C9E4C34E1CEA9D524CFC7A3C924E9820C62B5C7D669613FB30E2CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:29.240{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7A9227C9145101A9CDF58B17DCC439,SHA256=B1956E0A15E8E697C9B3DFBEAABBBEEFEB1F43C68400CD691ECFB08AB40A8610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:29.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB8DBB6517932F4ACE51AD91B0749F6,SHA256=555FC201A1E5610777A7556C56383362270A43A754257ED6A8039B23103C43AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:30.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F8F7A4D31E567EDE18FD3E215181D7,SHA256=DD60A1670981F9BE6B1C78C9AEBDACF51623F21331DD28B8FB44784B9219C093,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:30.912{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E86C2B609CFEF94522327FE0B3EBE55A,SHA256=2ACE2FB793D35EB396D6CDD0FCF2F34590317ED8F4D9A875BF3CE8494C7BB01E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:30.256{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776C20A2EDC56D35B364DAE1872DE32A,SHA256=1D5CFE3F4B6982A6EC86CF3B7BE413F66528B8418B0CCEFB81E8307ABB609CCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:31.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789E2EEE30E36A0FE914606F90783CEA,SHA256=6B1592C9D973A0B4CD88B23296D73611A3FAA0530B8455B53AE63C941EB97A99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:31.287{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDD2E354DC5CC16F06C1DDE335F6687,SHA256=3542E786FAB039EEA5D657B561A41354A4525FAE99EA2F573DB25B9829B74D7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:32.444{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED7B1501440BBD963DE3286A2C58C56,SHA256=796F6C53210652F81AB38FD380E68531241472C49DB1C94DEB794AB1D14495CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:32.287{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA80E05465A8E5BEE9DF9C657EE247B5,SHA256=50727979FC0F8D78FF3C0906DCF5B5CECBF54517080C42C8FA6B2D951A5A39A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:32.209{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1573476C40CF3ADE0806379CF31DEDFC,SHA256=77B4FD2527A9F366147B461D1CE91E211FD33B26A6001E9C390B548A4A71D3BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:33.463{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9949B6A82920CA23518D326395A910,SHA256=6D084769616AC0F3BAF80AD72D22171141F86FFB9F5D93D4EA9836485C342937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:33.506{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEF06F7D196BBDF8957CA0AC82413F55,SHA256=6E0C5187B5E008812297EEA3CC1642EBE37FA88C4BA9008F0A25D6A136BE29E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:33.287{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97A8FF1F54C3492129106411FCEBD11,SHA256=376870C96EDD3FA8372AE396590DE40CC974632124D671E2A5987CCBF8641E03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:38.130{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58959-false10.0.1.12-8000- 354300x800000000000000047960037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:28.991{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53897-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:34.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA610AF006DB5AB6CB1AD85816DFFFCE,SHA256=7DED69D540C19DD5EE4C849FBD4CF29586B3156B0433F6A2546820D782E59AF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:34.693{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=102B2C6BA6FAA28D54C7CD8FC5AB713F,SHA256=460BFB6FB604EFF9B74D0BE14386EFFCF915D194D2D32CE18064463E10A7F768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:34.334{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECC197538616221847FD01DF09BBB36,SHA256=3730D0D2EC59165CD68168A2D0485DE6132E2C4DD6575E70FFEC07024E78F0D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:35.541{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340212263BD119D2B81440896366FE9A,SHA256=64D31BBDCE842FACE1D038B7D3D8089EC04160C7DCD4246EE9B913F5624807C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:35.897{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE28D134F4015D2AE19A19962B8CADBA,SHA256=ABFAEC03FCBB0989812640A388F7DB059C41660F5E2B09E09541E12A611AE2CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:35.365{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B9B1A65F62022578413E12ABCA6FAA,SHA256=C1C3D0A201E1B72E824930573A4053A51F5A41820866920BA6D4D9FDCE4A8959,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:36.560{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF48E95A2A1C54EC225D4F715A5F6DE,SHA256=1A77962073846D58F2D76B7D0C97A627C82C03FB708231C2105A65506E8DB8DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:36.366{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B057ACBE8C3B626CFE1B57CD0EA204,SHA256=0284D0F97008DAA74304447F2029AD5FA39F9F998AD164FDC60121DC02320CC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:37.575{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC20D5E029F51DAC80D4071F153AF81A,SHA256=8AD53A28E6820C25D3DAB61DA7001F6BF9E0B624FA948C3E4777EA7ED35ADC8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:37.381{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D6C29CB3FFE071FAA93BD1BBFEAD2F,SHA256=71AD65116442F115C51B9B76CBCF60273344C12908B30CAF22586F306AE6CF3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:37.100{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A19FFB8A9E0818CE111D24DCB42F1B17,SHA256=C1C54A7C1A579F5F7F2F9461BFF2A30C04C4F43064B73F93FC2E28C453884A50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:38.576{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4988502573E48E9594FF98E6F1B3C3,SHA256=C7ADE602A94685E9ABB9A24461F2E134403334249D69D43A7ECDDDCFEBA5188D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:38.397{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28704A93370B8DBC0F1ACA5C7B54782A,SHA256=DC4F1422D57EF5FDB65AE2E90F3CB2BA7BE219DD51715A7D514FE47C771BB22A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:44.009{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58960-false10.0.1.12-8000- 23542300x800000000000000030726688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:38.305{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:38.210{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=344C7C5DE6CEB8A2B6090A0801E18E69,SHA256=A34822DCDB606E4D219C104D33F71A9276F954E892C7F0C089F2EFD2B8349BF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:39.606{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843E43BDD585F1970E7FA7369197A5F9,SHA256=72AE21543FD770FC8D17E1322D8CC0F9720DBF13CCE89948E194EC606C5AEBA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:39.678{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F2C7B75D2BB789A194429B3B1DDD0C8,SHA256=79C6A7A06E0D6A4119CDE6EB4212112D1FA95D0D85802E1C371C7382A17F2A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:39.397{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6589BE4D33240A7F58714B7F917EC8DE,SHA256=836A3EB39ABF34B0694551503F8CF421C69470F3738FB48151803A1521D2390A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:34.960{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53898-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:40.638{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49B8CD34E280242F38B1255A4D877A1,SHA256=EFA754680CF815526B436E723395039D33298C994A46D01BD10B9BF2B0945591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:40.835{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40A6BC74C767295FE211A546CE9B294C,SHA256=44AEF94F03835813CE4A193D550F48A079821DEC6D56CF8DB41F4F2A8DAE6BF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:40.413{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CA9A11494B2DB0997BC5779D98DD33,SHA256=527CD0A151FAC8355BA816A324E3DC10A78C21602D82B9B8B8CE3E481E1F3A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:41.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542CE0C1FE115C372C4ED62269F936ED,SHA256=2C339F408189A1ECB5746F15D7B9B3129B3143A2959E0BA510041D3D3982EE2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:41.835{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=B4332BA59927A682C03B60276DCCD71A,SHA256=A253BFFDF537C4E5281E7092A352D12995432A9FC0B984162D42C1E370AF100B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:41.835{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=CF176DA45B2D25C55D721D13E275C000,SHA256=530D17E22E20B63CDEBD795655C723CFE552FE539EB38205F071A6C0FB9DEA9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:41.835{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=C476F7BBB957BAC9B443FFAC3B44C3A1,SHA256=5C43411E7A7E6510B448AF5ADCB98B1268E1A800F17B6326E0A63DB3C632F903,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:41.428{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DE3A850860EF2DFF0BE6F4EC6D16F2,SHA256=DC592B72EA2DAFCE624DDB6E023A1840B15DADB68A9FE95AD0B9266437946923,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:42.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364725F13169B9D7538320639C38CC86,SHA256=59120BAF1444DDD043AE11696DA0B525E8186887A45AFF0546E081AF034733B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:42.428{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6770C99D195F48F3F6711072B98C28B,SHA256=46F68CD5D402053D7D93E50B9E88194BE089F6FF579134902D97651215DAFD2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:42.085{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9152C2BA64CB19F521D3CA389B689634,SHA256=5A833C4744FA9E6AE3BE6F578F282ED501BDB7E3458A984C2EB5BB471E81039B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:43.702{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF64C2E23122A69AB562CBD5826110C,SHA256=7460DE10BC92A574092070FFB80CDA6669E2FC0FB0209006A0306795AEA377C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.678{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC524F5744240B86285D4E221F83324E,SHA256=CDBC23789D42046291723310609C91B53879BC965CECD6C4499A62959E9E0D60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.631{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047960120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.631{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.631{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047960118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047960109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.460{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047960086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047960085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047960083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047960082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047960081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x800000000000000047960079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389FD8130AA558B7CA8C19CFEFCDE9F0,SHA256=40AB534A0C588BF8A5D02CD86BB5B9BEAC803FA7422595B1574BC7FB938B1D6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047960077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047960072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.444{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.428{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.428{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.428{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.428{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.428{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.414{3BF36828-65F3-6125-92F4-00000000CA01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047960060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:43.350{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C5DC7EC2506E45584ABFA4797E3BCA1,SHA256=C737AB57F822360FD79F0124B0107AD6D7563247396A8EA230B69AF82B90F193,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:44.734{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D250A34902516194E01BEE44FBF01B80,SHA256=0EF0D115E0100D2AA185CFEB92436D7AA13BA3E4DBEF86396DA78113B28FE957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:49.122{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58961-false10.0.1.12-8000- 23542300x800000000000000047960234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.928{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D45686B7BE51C1B5380D3E8A48C84368,SHA256=BCFABCDAF02D73E7F99DE0FB82AAE3A4C744D3842FA565758ED4B6E620A791CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCBF7086C03CD97232AF9DA28715EE1,SHA256=FFDB8652B518FA963EAA7B82D498F2651053A70A91025A9DF9C65B1C70A566C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.850{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x800000000000000047960224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.838{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D48A17C26D4026F13718CC1B2E0D7D33,SHA256=31721F7CEE1DDE553D00DAD056D52325D2D88BC276CF8EFFC7C6A7BFB8FA8A20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.838{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.838{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.838{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.838{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.838{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x800000000000000047960202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FD7FA48E692DE68F8B27A050D03584,SHA256=66D1BB9F0DA80E73F2FFFFC4EC11E4080EE9D8885EFAFF36B7F47082591F8AAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047960195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047960188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.819{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.804{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047960178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.303{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047960177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.303{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.303{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047960175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.149{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.149{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.149{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.149{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.149{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.149{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.149{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.149{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047960141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047960139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047960136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047960130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.131{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.116{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.116{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.116{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.116{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.116{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:44.117{3BF36828-65F4-6125-93F4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047960300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.866{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF00ADC4E9FA52C2229B437C60FBCD0E,SHA256=30888F3EAA6EB9A48142DCB268198D096085476FB1220D09021BDD45919852D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.835{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9B4F06CCED936AF6127F425115285E,SHA256=434AEA0A1D9A2B84F62E7E2DFB4A6F899C76FDAA92AB493BC9E266FA2632D80D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:45.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46230DA90FA008ED8F447E78E1DB3FDD,SHA256=960F45F5DB107507CF789732A5BF5D97FBD26AA3B147FB387B7566283F739981,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.803{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94ECE85B0CB78D456252AA06EA3A5FFA,SHA256=80D71C07C2EF0EB30E9CDA9869F9D01FC002935CEC10176FA8D16583273D763B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.647{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047960296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.647{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.647{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047960294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.522{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.522{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.522{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.522{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.522{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.522{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.522{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047960279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047960262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047960258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047960251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.506{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.492{3BF36828-65F5-6125-95F4-00000000CA01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047960241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:40.882{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53899-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.178{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46A25CB017A4D3CB843241E303396E1D,SHA256=43C2CDC4867DE4B76B2188C68ED87B4A6FF727479E295BAD1BEFBF83000FEE60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.131{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1F994114059158860057ABFAB57F60,SHA256=4F9EC8136C6C62459996982526EAD69485B6B5807D7623AFB77A2BB23A444015,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.007{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047960237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.007{3BF36828-65F4-6125-94F4-00000000CA01}43763752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.007{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.007{3BF36828-65F4-6125-94F4-00000000CA01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000030726699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:46.767{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CED3C4A7DE5EEC50779B49F9FF45A4,SHA256=16C6519E463ADF84B5B2ECAFDC2CC627C257048B80226884AF538B9233F07215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.897{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.897{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.897{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.897{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047960373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047960368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.881{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.866{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.867{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047960356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.350{3BF36828-65F6-6125-96F4-00000000CA01}52885476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.350{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.350{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047960353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.210{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047960344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047960329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047960317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047960311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.194{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.178{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:46.179{3BF36828-65F6-6125-96F4-00000000CA01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:47.782{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B818BA11B6C47155F48DD1B9507824FD,SHA256=B8A02EEBD4A8096A9BF0E62039AC277852B0F3913A40E74786A0570E2C42F8C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.928{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB4B6F9922069EAF927968D3C0373BAF,SHA256=E7F54ED8AB4E8FF96E88753807CDD8F1EFDBE376D80C7070B63D7D921E8B3242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.897{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4C1DC73827435C2B655DFA89FF5C28,SHA256=D461417B999CDAAB10627B423B534EEBD3E9C66BDD082D9AD183D50528B3E5D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.850{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED2DBDAE0744C1BD4823E1F6DB77BFD,SHA256=4C30A5709E7537ADE794ADE9AAB7C1D13A96B29F2442502FF777EB9C74D19BB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.756{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047960472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.756{3BF36828-65F7-6125-98F4-00000000CA01}59921604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.741{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.741{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047960469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.631{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2F5F8367B5D7192CC110BA57497F472,SHA256=E7259E6CE5F5D9525F529CF131D16FD3D59725E0FD76CD7EE16692FAA8B105AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.631{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961FA30BC545B21BAA0A83CBE1D413DA,SHA256=A24643C8042B55589E6328F792CCFACD322096F17A5D35A490BCB7CA24EB9E84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.585{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.585{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.585{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.585{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.585{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.585{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.585{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.585{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047960432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047960431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047960424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.569{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.554{3BF36828-65F7-6125-98F4-00000000CA01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047960414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.069{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047960413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.069{3BF36828-65F6-6125-97F4-00000000CA01}59843700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.069{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.069{3BF36828-65F6-6125-97F4-00000000CA01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047960410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.006{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F0863FECCF553BDE360EB80B6736009,SHA256=C9609ABCE9CCAAE6734F37F62FEFB778D2D59B56C3FB3E969067BF2DB711C47A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:47.006{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5EE04251778AFFB463654241ED631A,SHA256=6C9B74E580B3EB91E3206A3B457295B34E165A77CB0C22FFD81679B8BD63681D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:48.796{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6D42738402D3C6E6D506A47CABC387,SHA256=8A7BD042209F552EAFA69A295622C909E6D793324A328431FEDE83503ED05066,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:48.944{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC29CFD25F27AF1C697525BD0A8E32D,SHA256=1B0622563C0E683F4EE304621C8A6092301A9DF3B85C85989AD7EBBC8E643944,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:49.975{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88038140BCFCF0C5398B47F27074842,SHA256=1E4EFD8793A093157E59E4E4817C488FAB83AA731CFED95D48A6BE12305D33D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:49.828{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A9A418714FB2C58375C7C35DE73648,SHA256=A94BB2419886501AA09915EC5395FF301877130D46E07BF9DCF3E27601DAB63F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:55.066{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58962-false10.0.1.12-8000- 23542300x800000000000000047960478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:49.085{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E9D14ECADBF6281204FD66B82EF80DC,SHA256=B95F2B4DB7A8D3BB6239364BB59E08F795D7DBF60B55371D72E72704C87D814E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:50.991{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E74BF93A08A26616D81EF63D94BF271,SHA256=616227A26CB769E065662626CB119B61ACF5A53C32223CEFBE00F7E0619B795E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:50.862{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A448017AB739551DB708EFC16DECF9C3,SHA256=25C0699C92C8973EBF4F3A133B9A86E6563A9C3812BA66A259C51F1E69AD1521,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:45.914{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53900-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:50.241{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359AB3559BF2F4F62531083C3F864287,SHA256=6EBF7A2787111C03C86E57D1D4283FA1637E4816A46ADA986557578F8E020B60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:51.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681396D01C1491542D0DF128A05588E2,SHA256=54BB589ADB849D1F0EB37F85AC72EC33AC9E7313EC74FCB9FA76191D55D8E783,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:51.303{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D84AA33A6DBBE94742F1EF6B14AEDD0,SHA256=B6CB00E4311B00791FE71BF0390A88D27E2CC0321BEB3655047A86602443F66E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:52.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FFBE208F4D5C488602E708DFD37A58,SHA256=9E16ED611063B40F68ED99ACCDD04706E8A333880EB67FD15B7C39C4AAEBCC42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.522{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A7217FF5DDC5C70AACA70AC0CDB518,SHA256=05DE7FE0E9D58852FB79B74DDE681F329AFC87DF17A84EB034DAF7894BDC49F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047960503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.163{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.163{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.163{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.163{3BF36828-4019-611D-0B00-00000000CA01}628676C:\Windows\system32\lsass.exe{3BF36828-4016-611D-0100-00000000CA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000047960499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.069{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6302E085C0811F57EE24796BD23A33B,SHA256=F0CE61F653A6B58D2F3CB7CEA2CCCF7CEFD077058BC8833C78467B8941E2FD3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047960498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:52.053{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:53.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F213FD0A57F7531972CA86905451A95,SHA256=495C7093B826584813144A82C906BB4D4DAC05458036ABEB2CFBC591F7481587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000030726716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030726715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fd4495d) 13241300x800000000000000030726714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79927-0x7ef5105a) 13241300x800000000000000030726713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992f-0xe0b9785a) 13241300x800000000000000030726712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79938-0x427de05a) 13241300x800000000000000030726711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030726710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1fd4495d) 13241300x800000000000000030726709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79927-0x7ef5105a) 13241300x800000000000000030726708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7992f-0xe0b9785a) 13241300x800000000000000030726707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-08-24 21:34:53.462{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79938-0x427de05a) 23542300x800000000000000047960512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:53.772{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC699F6DA4DFBE8DD7772512D58FFBE9,SHA256=CB78753477D0B74E03CBFB472B0F53F45F524AF116D0EEEF1795C25D424B2F2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:50.012{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53903-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000047960510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:50.012{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53903-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000047960509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:49.913{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local53902-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x800000000000000047960508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:49.913{3BF36828-401B-611D-0F00-00000000CA01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53902-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x800000000000000047960507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:49.903{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53901-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x800000000000000047960506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:49.903{3BF36828-401B-611D-0F00-00000000CA01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53901-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000047960505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:53.069{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A69A2ED3F94423D98ABCA6C10B5B3,SHA256=9778E508610ECE5158D4F20D32E85F64D2743BF82907D25AB2FD6B512E5452A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:54.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF587C107CD64497E16450A976BCA1C,SHA256=B85EE8A6593780D786B3F780E7EDB41C20DDB26A3C66D3205CF69C8C30E80ACE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:00.128{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58963-false10.0.1.12-8000- 23542300x800000000000000047960513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:54.085{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09049C644DD55C3C3258A9E5895B2C18,SHA256=B3E57B97617A5F1C9A90E3AD2AA525B63B3EE5514438CF51A877DC421DC7FC7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:55.960{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE79F667A98B4BB78A306CF2A41A6961,SHA256=8CEE0063F6759B278CFF68D8D5F582F05753696D8712E9AC4191D8F53504A9DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:51.025{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53904-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:55.272{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32EA6C15E4A8178BF728E0E647301CCD,SHA256=85E44B7D58539B8BFDD98CD46A8B8C558617498DF23DCF4AC8E3EEFAF2863ADE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:55.272{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7385DA1BCE641D06C59914E2E4629439,SHA256=6B0CA17181794456FE6EBF3102DFC6894ABE158A553D7F6FF95D4BA958CBAA9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:56.448{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=373853CE43ECB2B739C95DA0303D5922,SHA256=ACB0226A150C1FCA755CB0104DFC9206BD34A05E04C0C36E8ECC5DBAD8A909C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:56.276{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71F32018E16FA9372C1E59298C2FA1B,SHA256=0EC9F85D32FE0EE1093D818E723BA24970F661B12534E67EC64BE0EEE35FF1DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:57.589{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C3CBA96C1AC1B9F9E88407E5A354D4E,SHA256=D42416DBC0FB7A7F9BAA233F2BDE56625A8B902C30D12CDEDA5EE98486DE8298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:57.307{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF8388E801E8821F9DB1B7F727AE6A1,SHA256=E0C98A0B76822783E2BFD7BFC2C9D2A534C3B9295565E8E9BE849E8AAE503995,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:57.006{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A6F46D9BE588BEA3C78B4132BF3204,SHA256=F280080A9D4D645B6408AF9D1FF8B3907E65445A9368012171E8C4A9EFCEF79F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:58.870{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E5A7F2A3CF4E61EA45BC5057A1B8520,SHA256=0A72BECEDCEAC1527088F4670613181F2C93CD94D3BBFB28AE40918DFC0E5137,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:58.354{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0562E441AB7A7E7A581114FB7A3963D3,SHA256=5C340BEC892D580307D68D7E83F9DDAEA9AC84311CCBD5FC5670EE62DA438DE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:58.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826785BEE9B8395B947EB02F9384828B,SHA256=6906B4D26DB106936D1E40DC914FD82A06716E113F54B7AD05F7F2A8FD2F6AA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:56.074{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53905-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:34:59.386{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F771A38372CBF7E3FA81F85BBF65BA,SHA256=64758A686BF6D29C8C42D5F8D53894F76085A246B05122A65F5A9257719F0CE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:34:59.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533C5F0F0ECEE41403CA5C26B1B3A061,SHA256=58498D3F86C20064D86E237A28049B0B9D14B76B9E6D5CAAA30D1844C4EA8F51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:00.401{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695F7B7ADF1FE51C25444DADC6C3AB83,SHA256=A27D8FA8B750F4C644F137A2E2A10A898DE7F02A62720E2F389C66FBACB0CFD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:06.054{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58964-false10.0.1.12-8000- 23542300x800000000000000030726725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:00.203{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A07800455DD678DCA0D5B1F756FFD667,SHA256=5E7F54A0D42442E5BC820135D28FBD8BA0667ABE3BA97B0B83526EE1F2A32D91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:00.072{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BA404E91789832704047FCCB247820,SHA256=0B57785425C27B7AC4AD6F5D22227317D0D5660758BA2CE68335428228FFE089,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:00.104{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1EF96C67F80ACEC4E0441159AC456D8,SHA256=28A3F0E5CFF464999290BEE29682BC3CE1D6AF6F83248E6B42642305EC938538,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:01.417{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3600D0547A514B68BC1E5016615BC13E,SHA256=FAF7BC665B5F3D3A2D90A5F787E622E4972C3904EC64BADD1BAC11064DA75B2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:01.087{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81155E0607EF7FEC8F95EBD6E590666,SHA256=D2E88162C5D653D41C57AC18E3534C510FEFC93A5CEB6FB59E8FEEF7FFD90E47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:01.183{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=234E6F7B85A7F909A8D940D2B263DCF4,SHA256=24173F0154A1BA2BF8B29D07C365DA125B75D1B6B2232292A20072BD14A53357,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:02.636{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F557FF4C84B0DB51F946637A4A774681,SHA256=32369A47255D631A38C4FF8605351483D6896EA076443ECFDFECE52E8B190504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:02.432{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C183E149AF8C454FB78A9A977378773A,SHA256=EA3B6EC25ADD4A3708BB7563355FCB547031D69F60130F422E477CDC04CE7A68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:02.088{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E2EDA681221DCC726875C2BA58D8EF,SHA256=B40CA79C7C9EFDF2341AC0B71DF11FC68C5AE56D41CB85A0F50775F3BDC1D643,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:03.776{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E945D9639DA29FFC55CD302D7DFE2EE,SHA256=3AF4F6F1F5642976B8B8F7199B150B5579C3E405BAD123BAFB5EE6C1FC4DD4F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:03.479{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978813C4E4987150BB66AC8C9E8989A8,SHA256=C506B6512B3AF08F700F0B467E67A6A204A6AE67391C109738C27ED01B924720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.903{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6607-6125-A800-01000000C801}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.903{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.903{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.903{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.903{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.903{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6607-6125-A800-01000000C801}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.903{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6607-6125-A800-01000000C801}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.888{B81B27B7-6607-6125-A800-01000000C801}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:03.121{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB135677F7B0E3A827B7C6B84E4975C,SHA256=DD10B3FCD6EC35649C87A44532642B3AA54B0AF3D889CCC42B34E92A27DCD71D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:04.511{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6870B468DA243EADB12B6825BEB2989,SHA256=0B3A9F124570206F6DD68E7E25F9527D3B50AFBE6F5042208FD75C5B3BD80B63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.887{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E1AC98791BDB06ADE0B0CBAE19102CF,SHA256=C4102D4B4A1E5EF5B7EF088311DA47AB80F9F2D16DEC856C4F8720220BC3D7EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.887{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFEEBB918DDB6C6D0D5F7C772E57E588,SHA256=AC5309BBD8F0732CC8024CD2A7D2410990D368B157BDF0B71BD2F01FB39A52DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.740{B81B27B7-6608-6125-A900-01000000C801}57005400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.587{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6608-6125-A900-01000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.587{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.587{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.587{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.587{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.587{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6608-6125-A900-01000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.587{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6608-6125-A900-01000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.573{B81B27B7-6608-6125-A900-01000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:04.172{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBE1749EA563C67D1AF1132355BE587,SHA256=8E10795BDDF8C184F129858EAB8D3691F3FFFB93C81A4BC9ADD40F26091F7F10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:01.918{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53906-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047960536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:01.918{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53906-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047960535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:05.542{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0E1A2EFC0EAC5BD4256D9BC5538C4B,SHA256=51A74272299E0E2904041EDA5A50043ACCD33BFE233685B15E8EE5A1C52491A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:05.223{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD41746820DA29E7B1521B1E7BF8C05,SHA256=13DC68C337EB7B70FAA2718AB7AD81765715E7F5496D7FC947A0A6772139F2BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:05.136{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBC11A28895E4B83098CE0D6BED19AEE,SHA256=993AE4B4CD7D589E041334040E86764A8CD8722F2442C51C4157FE6050017DE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:06.573{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248CD8E4841C0786AA72303E36BD66C2,SHA256=7A30FA1EA90ECE7ACF75D4CBC7F469DFFAA3C1E0F51860F80D3CA36A024CDC3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:06.255{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FEA632A3088927E795FD5EF6598427,SHA256=3863E8E959578576EC3D3DF87AA5CBBE43A01543C5F7E73A62B7731B1031621B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:06.167{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AA394D3C22D759B335732F931340656,SHA256=DF8230D0A7B6FC891393F4E95B9F24FD177C89F20099F6C4AB1B13C8FF15AB16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:11.140{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58965-false10.0.1.12-8000- 23542300x800000000000000047960542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:07.590{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD498535D2701EF2066D6AD6F0E82104,SHA256=C2F1487B750AAF07E6DA0AA6A916393BC0F7F2B705EC4E0285C68F6B0AA507C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:07.317{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA4DD40B99AC78B285FD8E6D8293E08,SHA256=D0E8013133F4B92F8A49AED9EC138BDA4F68E9E0A65E02179EC436001922793E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:07.434{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23FB889E5764E7A1B52B939702D6B94D,SHA256=D26DB76AC6EBB8BECA0D86D196E19E49BEBE46E0B6D844FE1DD5392D2E48F8EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:02.011{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53907-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:08.822{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=342CB77202D5439600DEB85A4E5F439B,SHA256=603A9434148979BCE09E7E203E333428730C3763F103BEEEF2CDC920D9093C6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:08.603{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4DB173610C201442FAF0431344BAA8,SHA256=5B2CA7590E4A31432385EEABFEEC2F03D8958FF9D1331A3EF42FDA8CEDCB328D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:08.320{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA60EA2D24F197144784BFA1EC14653,SHA256=5C04EE8A15C9A0F579689A87F43425BBF23FB8FBDACA0F20D0CE709F9DB61978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:09.367{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392D187BAB1C61784107353C542AE7FD,SHA256=8A76E256CC54D276B1CB5790480E720339F976E283B1F55FDCC5BBB4919AC1B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:09.950{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFAAE281444399DDBDAD12474CE1AD7F,SHA256=B477BAF1BABD3053AA6C3D7D33BF1C9FEDEE6A834A7DAAA0B598D9F2E09A0469,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:09.606{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B55ED93025290078B673D8B75733D3E,SHA256=EF95FD19010B52FE8797DD2F966F3979D506965DC483FF5C9BDB57F0854EA124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:10.606{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85BDB841A8F4655ABF7AFF42DB70D2B,SHA256=C1E769E0797F924E9B550D1E1CCFF24B8022DEE27A51A4EA7C7F9FC4B8FD754E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:10.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A1C4B768C723F58B0ED3BFDDCD5367,SHA256=393A06E0B7D0F22F217A52F92305DB47A3ACF63776314CE0C2946631F109D18C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047960548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:10.216{3BF36828-401B-611D-0F00-00000000CA01}2961508C:\Windows\system32\svchost.exe{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:10.216{3BF36828-401B-611D-0F00-00000000CA01}2961508C:\Windows\system32\svchost.exe{3BF36828-402C-611D-3500-00000000CA01}1532C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047960552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:11.810{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:11.638{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6009F6F2233592B75DF22CE286A8A513,SHA256=89A4519CC6A78329F841180DF3B913E85863F4C6E787392581B71A114096A3AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:11.414{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59D260474563F0D3979C0CE125298DE,SHA256=1658397CC43D3559A1B7A63F8B8C554A22BC6BF3D7EF2B060D629BF1085982CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:11.060{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92964F1810072DF5242CF123938DB479,SHA256=24C3C9A86D0EB81CFCD50CA046F29370E65346205D08B7823FFFD84675879D3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:12.685{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A56BFF582E648F452E6DDE3B92BFE7E,SHA256=A64E7D53E710B8B4F59CDAA5A8FDDC6BAE6EEAF56350AA2D0A8A001EBC698A22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:12.448{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EA423B9A888BD820AE882ACBF06839,SHA256=AEFC6CDCF96221F6E65731C9D51D49819BE97E92168E57BEDC2452B73C7BFA1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:12.325{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9724345C87E4FF8F5AC786BA2D3F6852,SHA256=A18188774AA7B430DB32F706389BA48854BAD93187F2BA16BD02416A5DE4CB68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:08.013{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53908-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000030726758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:17.051{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58966-false10.0.1.12-8000- 23542300x800000000000000047960557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:13.700{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D63042887F172A4DF45639AA608CB0,SHA256=25DA4C11EAD7A16933925D7315DCFA4F17FD9C124A1771194C46EC6528C8B067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.947{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6611-6125-AB00-01000000C801}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.947{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.947{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.947{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.947{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.947{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6611-6125-AB00-01000000C801}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.947{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6611-6125-AB00-01000000C801}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.932{B81B27B7-6611-6125-AB00-01000000C801}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.463{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E523B489FFEE517EFABA053C1810E9,SHA256=487C7E7254D3ED3D4BB4D7AEF5004D9AFC2199440BD81783630A98E61FCE18DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:09.639{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53909-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x800000000000000030726767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.347{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6611-6125-AA00-01000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.347{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.347{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6611-6125-AA00-01000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.347{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6611-6125-AA00-01000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:13.332{B81B27B7-6611-6125-AA00-01000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047960559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:14.716{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A977B992B1D0B804CB1F894E974B543,SHA256=57BBA35C444E521394A0BDF5A74CD2449814F5D1E4B2FFC48C6E135E5347585A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:14.478{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F2CD472956AA7273E7B1461CDE047F,SHA256=32AF602BA2DC3F3C05A65155B82566BBDB058224690A723790851C1F1278172B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:14.013{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F64A415427272073E69C4BEDE4A29CD,SHA256=4399A7760467710AD7801345981CFF0159B826331633598AE40502F8D20DEFE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:14.347{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E7BE65773AB3699FDD07A5C94864F13,SHA256=3A1A20558597ABB673829F07EF3124FE23A3709AC4BE2BC47D93717543B806B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:14.347{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E1AC98791BDB06ADE0B0CBAE19102CF,SHA256=C4102D4B4A1E5EF5B7EF088311DA47AB80F9F2D16DEC856C4F8720220BC3D7EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:14.111{B81B27B7-6611-6125-AB00-01000000C801}10205172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047960562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:15.747{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F6A2C2697D4CA077204A64F31DEDA4,SHA256=8AED69DFA2C4B110E71AFD5223F39A21F1ED110113E35E3CE9517F8F5F2CA119,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:15.493{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541DBF031F75E568B9EBEE8BA70DB7BD,SHA256=9EEA232E1A489BC2EAB4206FD873CA72C7B19466D74C4991CBFA0F0A71610F9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047960561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:15.216{3BF36828-4019-611D-0B00-00000000CA01}6285128C:\Windows\system32\lsass.exe{3BF36828-4016-611D-0100-00000000CA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000047960560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:15.028{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B55D7D02EC98C203F8597E26C4AE9E05,SHA256=499888828D8DDE80493CB0AF6C284328C578A8BC826E60C8E2B893457DDE2164,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:16.750{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F7A899C5ECAD4AB61CB4A9D823E91E,SHA256=F8643F23CEDDCD4571C89843AEF2360C41F72FF63F4E492501A66B6D02FB0347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.709{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.708{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.708{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.708{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:16.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C42F4D86FC0C56C1CDCC7BA0318F6C9,SHA256=C65736F7888D3F35F5019CF85CD7E87D3D241AFF9A3D0CB30BE4B847A44E64FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:16.406{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFC4664FCB66065181DCD330FED7DB91,SHA256=D2670CB810D394C48A43479A399134D846FC298C86414947C206A2F465B51019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:13.061{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53910-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000047960563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:13.061{3BF36828-4016-611D-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53910-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000030726782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:22.097{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58967-false10.0.1.12-8000- 23542300x800000000000000047960568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:17.781{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D6339F8D1A1F8E7D9CD70ACC3070FB,SHA256=D41C1DE1039A1EF745575975CDCB109541CF6EEAB6467C14EAA155EBCEAF4F42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:17.844{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE2F2A760F98C269684E9F3843E354E,SHA256=3F2207754326FCD9C309463BBAE7EF81FA7E43AC69F9B699F594584B93355142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:17.437{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA95AF6989B86E2459ED28FCBBB3B4D6,SHA256=74278B586FFBBFAD2FE354EA0625BA9C2561993CBBACFD24C48F8A764EDE79BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:18.922{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDCD34D6AB49162C3529220D60171F9B,SHA256=7CD764341702CE11638693E641A621FFE8D1DBB128E4CEB4AF982B63C1131FF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:18.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E83537B9A1610091266613FAF0E816,SHA256=AE27B951E4954E89DFACC0CDFC838CFCA5AF87B3349459C2DEDADF482EA66C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:18.858{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C899E0DAE96D2BCA45AD3B69AD9BC32,SHA256=0E284899DF460BC01D238464322C7334D9C0CD5D6B82717CC44C270B967DF867,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:13.954{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53911-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:19.812{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69991492C14EC8DA203D403430FE4589,SHA256=725481FBD050B432589E4B0B24C4765F5DD60F868B46D61A764812B38798404C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:19.873{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29C0CE753A367AC804F3087FF29D970,SHA256=5EBA5C09BAE33BF9DD37A8917AD3DD72B0E8543BFC222D3419B7FA277A8FFEA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:19.410{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACAC848E3AD7A54FE46C072BF24D3F7,SHA256=C44847B8410FA2BB96A992B6F319FD85270D87DF388A89A542EA3A212C70D705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:20.828{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFC0689D68F3539D5B2F2721B46646C,SHA256=45540251A3A2A91EF595174ACB8CC93B19AB44B66F06516E07F72564DC9D3D17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:20.500{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FCBF99669684956616D1379FA834927F,SHA256=B13916EF0E2BBE8B8E89A876575EEEF838156FC3F46DDAE20913528AF8552BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:20.062{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1B3CAEA3DE763026B55378407B70AC5,SHA256=683B263828B66A91C163126D6F5626D040DA35991C0C1F58A33DFEB8BDFB8A99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.925{B81B27B7-6618-6125-AD00-01000000C801}29286496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.771{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6618-6125-AD00-01000000C801}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.771{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.771{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.771{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.771{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.771{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6618-6125-AD00-01000000C801}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.771{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6618-6125-AD00-01000000C801}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.757{B81B27B7-6618-6125-AD00-01000000C801}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030726824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.225{B81B27B7-6618-6125-AC00-01000000C801}6620648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.072{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6618-6125-AC00-01000000C801}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.072{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.072{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.072{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.072{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.072{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6618-6125-AC00-01000000C801}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.072{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6618-6125-AC00-01000000C801}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:20.057{B81B27B7-6618-6125-AC00-01000000C801}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:21.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BE0A75E66C649AB89721A7C5EE2983,SHA256=6A50EA970C7B51231DB72DA25CD35D7D176545F55AB3BBB663B11A8E392C2C89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:21.844{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49EF608828FEC5FD778C130D97790AF,SHA256=2ADE3DED045DDA0D7F6DD28802DEB08BF5DD8EB5145BE95DC44B25A1BDFCF9C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:27.142{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58969-false10.0.1.12-8000- 354300x800000000000000030726837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:26.342{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58968-false10.0.1.12-8089- 23542300x800000000000000030726836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:21.087{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25DEC2D1C99B2549E7510F94CBF1C463,SHA256=671DDB6DCFAD584AD14E2629A3EB70D7351B4F6ACA9695511AA75F407B3BDAEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:21.087{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E7BE65773AB3699FDD07A5C94864F13,SHA256=3A1A20558597ABB673829F07EF3124FE23A3709AC4BE2BC47D93717543B806B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:21.203{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE1CC3354ACE0D49828F6A0EC70A3C8,SHA256=C209808F0A2AD0B908F3AA02D9544559C5365C176925A7D3CA76802E861F15B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:22.859{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8060DB1CB0364EEA98736867D4D9907,SHA256=DA7AF5FE51CEADB556E36F7F473B5B0228B79D6A611830442D285243DFF7D9A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:22.359{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=248D767D69201F3E3043A75F22276EA7,SHA256=A8BBE357FA465AF48D07479CB331568BAD81380B2A5BC93E0BA841BE97984CE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:23.859{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF2B1FC57D1075EF849B41012931B94,SHA256=38B53BF631C8AB8C4DB34BB099094CC7001776E2E2EE6D20C4DB604FC53188B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:23.006{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-661A-6125-AE00-01000000C801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:23.002{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2880C254210FB13672A7A290504A8630,SHA256=5847FA9AFCFACE0B035285B2D1BB60BD14BB859CA91BB1A39560DD38BBB15169,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:23.001{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:23.001{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:23.001{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:23.001{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:23.000{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-661A-6125-AE00-01000000C801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:23.000{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-661A-6125-AE00-01000000C801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030726840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:22.985{B81B27B7-661A-6125-AE00-01000000C801}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047960581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:19.891{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53912-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:23.594{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89A651B7A83968D8796757EDA2C90118,SHA256=D630FD353DD87FBDC2706E87791610EB3C025BAA74D4050D369AB49813AAF6E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:24.922{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC814BC84FD14C647618303642C352F,SHA256=537DB9449498C308A02DE789E38B806DEAB3AFC13CB84BB831F9FC1A530C9B62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:24.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745DE70ADC439A6B16654052950C8C53,SHA256=A9348F4EB38C0CE8F6E04500F7511BD9CED557947076720E332E437E970C7C30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:24.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25DEC2D1C99B2549E7510F94CBF1C463,SHA256=671DDB6DCFAD584AD14E2629A3EB70D7351B4F6ACA9695511AA75F407B3BDAEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:25.937{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE38112969579C899A063A3AD838B2A2,SHA256=A607F87D65ACCB110B6BFDFF6D5D8D5C69FD631F46B8502B1AFE3CEE1418B29F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:25.244{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4B338D8393B03AAA5DBFE80EB73A6F,SHA256=3FEDEA1EBDF28D5F3435D490E784AD25DF857705BEB445433BA367686A7FDCB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:25.094{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D085D0BA9B0FFAB3ECEBFD7570C0D45,SHA256=8C9ACE3F370F4C87BE160A41E6A84684E5F9A6EBF0B9982BC7A3D595A1EE73F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:26.953{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EBDC9C3C783020566462B66DA134A5,SHA256=2D67068C546CB2B793E30C2F574D3CCBE4DE5F45B8447754770F51601A0CA3CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:26.258{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40240FEFCF2A7F2254E78635ABC475D,SHA256=DCC1E4DCFAB8BB0A586192C5E6A865175A4800DE85EA3D901654D20D041A1609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:26.250{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=667105D8FF906C2B36D17208F7EB2F41,SHA256=00A41F56DCA11AFA22E68D2AF9AE11DBDF863C4D40F064233B3E943B4302C2BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:27.984{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2D5FD983BE05FF52A0E9AA4E0B4DBA,SHA256=FC28BE56B8FD239A0DB0E8026E5BC2461EA009F200BDD9138AB725AA290F12D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:32.145{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58970-false10.0.1.12-8000- 23542300x800000000000000030726853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:27.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53FDFCFF5D73EF9F5DBDE11B076E31C,SHA256=81BD408358FD971635F14F67D626D16F51AEEFFDA0EC19AA6F96595112FDBDE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:27.390{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6F60C6CF4BB963FB712A7667D068921,SHA256=E0DE1B9C3846F3D9284891524D4CEA822987A9E420B684C3F406F002B19720B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:28.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDAE5844A2FE6E813FB7214596CA429,SHA256=45218B9A92C68CFE201E245D8CB7327ABF53D84A74012C3C269E4CD39D518AB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:28.845{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF152D07014688F055256F642D168CD,SHA256=118486ADBBDC241C9B01F3002DC2F57E94569340593DD92BBEB96F8EA7F13CDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:25.016{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53913-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:29.309{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87073DA96032692A032E5A421732680,SHA256=755B8A2C65900983E72E2D4927BCF07561E451E750A177908B23C0C2F8FCBD58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:29.876{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B6A4E92DE27D52B564B4C80240887A2,SHA256=60323CEAEA2B6491E4DDE3B4EC560D2C0D5E0A802E036A3ECE221001CA768795,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:29.032{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6623179CC56DD88496C74B063E19BF,SHA256=F546294E3CD424B38A7C4BE7B84D3D7C2BBADD7A687825DD4B7CA770F713A4B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:30.340{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF31EBFF712E88EEA5B5894F0015D63,SHA256=3EBFE4EE144C83C70D14F5FF96A5C5613DD53995F63CA833E6E88B3162C02D9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:30.048{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFEECB9DA853A0628E0337BF577C436,SHA256=CD04D8116A7FA3961B6363138E22A5E5AB1F4C49581F461CE817D14531F81062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:31.370{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27547013981E2B25F4E4F3809CDBB93,SHA256=95F8CC34B7C7A39E8EDE188A69B110183C0177616CE73E1F3127A6DFEA9238C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:31.267{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC04BF6E6977127C6F672CC840840B30,SHA256=0AD844CC511C81FF7D7AFCCF8C72B8DB9931E0D653594197372BD73C866659DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:31.079{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531798D060B1A877B4F365E075E0DB0F,SHA256=ADCA40211044AB861087D7AAB6B73A7E7974680E197D6ADAC476C658F7776B0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:38.136{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58971-false10.0.1.12-8000- 23542300x800000000000000030726859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:32.404{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4A4484A5DB68591DC4393AA5C83393,SHA256=EC25977A4C10853CCF020E6C7A462F40F5C141DE5714397D5AF651CF1D13317A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:32.360{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0FC1AEB7E92FBEB2F2D2F99C39974B0,SHA256=CB69447E46CB9C81431F9F648CB361CD97E6D1CE956C242C39B18787085A55F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:32.142{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5CBFF0EC34029224FA842B2C69DCDA,SHA256=8B15FB4DF09811A353F493901B4B132710BDB4601D4F9860923CC1D3B2FA42ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:33.421{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376974DEAA208DCC0A4DF9BEE5EF51FC,SHA256=34648B9AE98E2A15DF1815B404391CC50B0A7C5BBF31774260119DF57678AC99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:33.579{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C04E5138CD73AF09CEEF80108F0B58,SHA256=3A819F5894D0FDEB955C68443CF811816022B94C5EC23BAD74655C9E91EE2A47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:33.157{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8B57E24EAE8FF46E0EE340DCF0E2B8,SHA256=11E7682BF364A258FF94EA155DC4F5C3DF5B9F487AD7C75E3ED7F278614054F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:34.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE9590E96DFE614788749F5880ABBF7,SHA256=77438313A47B9EE9858D92DB753E889D58687B7937A9D89437B93C90FC24556A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:30.986{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53914-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047960602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:34.642{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF90B58FA2BF658477A48E09B59CFCF4,SHA256=BF54499957A3A9F6301D43B1B0EECE89D4D0AA0B397F308A621877EFD9B90FAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:34.157{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72575E427680EC111CF7C06ED033F985,SHA256=F27E0EBC13BBDCD2FB6579F0BC3B0BCE1D83F7CF9CCC7EB7168342734D7DCCDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:35.466{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7ACB04BCE035CD212D90D25C4BC6808,SHA256=732FA59A7E3FE7C317C4F7E39E63DAB0137304E8E0F21FF789F83EDCC2C5578B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:35.907{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0148A4C3D58A227495D826EA4DB3969B,SHA256=56A6FD4876798493751EA51B3632BC84AC067B5993FA0322CC4AE9CFBEFD65A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:35.204{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE46613215BF160A9149B5CC949E944F,SHA256=245159589C61CFF6A8E069AC2EC5C3D4443C03C45126CBC78A329E9DA87C32A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:36.481{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7699038B7B76730AEAE8F438C54D0E38,SHA256=25DB997FBC33F6750B1B17E2EA98FC057415F80AC251539F7081D0605A580BBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:36.923{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41BCB04047C0092E1D7912566BF22CC1,SHA256=D258AA63B2D9B82C2E2A7ECE3865CF4D23682BC6B84DC48790EB76A18F09B480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:36.220{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25448CDB13D9285775271ED62EA7B51,SHA256=6CED40382BA65355A5BCC02D0526202BA6DAF7948ECC60E4889B7AD43E852F0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:37.497{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80EAC303E390E961B62C3778A017FD6,SHA256=E64B2099BD3DF6E7E19B6C0DC3F562C11A3F131B3E34864CE29E18EECF7B5AAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:37.220{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50179B5B7693B529932DD18634666B0,SHA256=4C1D412FD9875565828961B66DDBCC61636D056A181128ADEE6755790B7C4552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:43.984{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58972-false10.0.1.12-8000- 23542300x800000000000000030726866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:38.500{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3220B09E7FB87D0EF5F0A199B169D3AF,SHA256=681DF4E8DCD48987735B0D29548CAF30068C135546D139E4ADDC35D1A0676CA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:38.236{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75692427AAB2F1BF2F95A349E1BFFAD4,SHA256=7FDFCB235E2B180A91CC84EF3089A383AABCB5266E40FACFF465FA3410866CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:38.032{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19951D7F8CDEFE764BA576179AB4364E,SHA256=0F4B8BF02812EE0E96F56800142D0D8AA7F0DD441E6CF6F8E73F2E8692B679DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:39.251{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=950FE1C7DDC63696E3C55A631CF1E47C,SHA256=215A2FFFDE91A7A76AD5C374644E35DF081185AA0A6B0C1DD71D7ECB7EA4E398,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:39.251{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9E4004745EDD7AA02F1D57CE8C9DBF,SHA256=7B5626990AE6E3D885A53DDF02227D6C3438C7656F96927C8C5CEE9E9556DCF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:39.515{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD3DE1A848C8AFE6A157CA71340906D,SHA256=242F5AF466EB8B5B54C3D8B427EBCE0650D441E0955CA91E797478FCBB66092B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:40.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1C4B9D5F95FF97C99498B823EE4B72,SHA256=2930840DFA6728A8FFB3CAAA5CABE7042F38E42C2858F5925D0BE11B0F841409,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:40.642{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D5FE61171764D256E15BDD99DD902FF,SHA256=8F278BEB6ECD917C8A770A032EAEE406953F0A491EB98087D5EE8E1625658619,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:40.267{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F87DCD9D449EA48E4AF198C5881283C,SHA256=BE8EFCE18C02085FAE3D06DE02431D86F967F35283C97E7E8D6995C6F061F1E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:36.080{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53915-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030726870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:41.560{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2487405467FDA0017D6BC5CA6BAB1D56,SHA256=2AFEE149A4A6D3932C775B288FF82788149C6BCEE742F8A61CCBDF5C3F673586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:41.798{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E11EAAE50755B670CE837BC6DEA9AAD,SHA256=A8B4AB8A519B152A64C03D14575A06E2731A37B11AF9D8C3982984F6B2FB628D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:41.282{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCE75E33F78A7D16307FCEF2011587C,SHA256=6076479B406E035C4E98A70D02BB21DB7D75B07871C7A328D6B512A5EE5FE00C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:42.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9232E8ECF0A8736BD38CDF894DB447,SHA256=E567BC70A636EBFA1DF39BC330EE21D64347285F0C3D26F0CA064FE9F7F0A042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:42.298{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F35F957DE793DDE064DDA0CD78E7416,SHA256=803E6ED44243A01A5B2311DF52C2E8955A51A669A4576BE210EA1ECC3E05B816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:43.626{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14F23E48BC297E9896BFA958C5B9210,SHA256=9D6A596DC41CD0A83F24DDCE85205E22C3EB0FFE50526AFC62AD7CFDBB84A476,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047960676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.626{3BF36828-662F-6125-99F4-00000000CA01}33205336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.626{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.626{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047960673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.439{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047960664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047960649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047960637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047960632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.423{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.407{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.407{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.407{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.408{3BF36828-662F-6125-99F4-00000000CA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047960620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.329{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D988962CACBACDCFA45BE92DFC439556,SHA256=81955A36EA6A6C6262FE4903D7A562F9D9F0784E8AD679B109B8ED4C82951763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:43.048{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779B254857A3D60923ED38CD072601FB,SHA256=E6E58613B2DA1FD1AC8435C430C825D772F0CF63492AC80A23236A4C824E9654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:44.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20837B6D88DB6808CF3C2BF4E9631A99,SHA256=782386AB69D69C7A728A4B0189C4B1879D464455A058AF898487F595BE858A9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.986{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE30E3C7218DAF022EBE1DC62FEB308B,SHA256=0878C62D7E504907DC8795A066A2F1504569FC4A1E267D78F16536022A4221AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.907{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476EF8FC6909E26919A9D8260B790524,SHA256=77BFF193FE246FEFC63795CCA07F18A13FA1C641892B72B4239D15AA0D7F2733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.829{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 354300x800000000000000030726873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:49.147{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58973-false10.0.1.12-8000- 734700x800000000000000047960791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.829{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.829{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.829{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047960783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.814{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047960763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047960759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047960757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047960756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047960755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047960752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x800000000000000047960748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047960746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047960741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.798{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.783{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047960735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.532{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E074E501CBB1E5E2D8CA5EA302BB43D,SHA256=2341859550D1650C857513DC286504132E7AC238110B4F9A8FC02A989727ECA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.532{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE52592453FC4772626F8B67BCF6C15,SHA256=AC81480D5B9873A7E9C35AAB945DE0518D11C86D87F32416CC1270A97A4640EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.282{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047960732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.282{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.282{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047960730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.158{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BF467C4B559EFBCF170DDAD0760706,SHA256=3DE47F52F82D03AC335057AF66F2AC48363623CE4BED9954074CB3C5F8129430,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.142{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.142{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.142{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.142{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.142{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.127{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047960694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x800000000000000047960693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047960688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.111{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:44.096{3BF36828-6630-6125-9AF4-00000000CA01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030726875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:45.708{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B4B7F92620F2B998B3B48BD78E5948,SHA256=9B13411E490DF04CABE045423AB0A9ABCA17C47FEB38C5FD4B5E9AC521F4E8B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.657{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047960856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.657{3BF36828-6631-6125-9CF4-00000000CA01}46685132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.657{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.657{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047960853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.657{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B698AFDEFFD705EBF5D32881C29567ED,SHA256=3C59373C7A1755FE0080C6F80C326571B8A64E8000BF9582C5198DCCF36E2E28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.657{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D44E3BA3B4C5A658DE491503F250D14E,SHA256=759FADB4853500F0E928B7B9F462AD5E07347F3B271F087B02801D7FA73D95BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.657{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC7176942BA9AD6657D4BC30D237EC2,SHA256=CA48745BD006A25F34BEBB6A69ADC4A43827D9CFC7230F0D7253B2E8A2B52086,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.501{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047960815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047960809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.486{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.471{3BF36828-6631-6125-9CF4-00000000CA01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047960798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.282{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B054193937C15DB2B33121811777F255,SHA256=9EE4C7085E59A68B592D90FCB4D56B5166AA27A3F829467A6F61959231F3EF73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.033{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047960796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.033{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:45.033{3BF36828-6630-6125-9BF4-00000000CA01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047960974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.923{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047960973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.923{3BF36828-6632-6125-9EF4-00000000CA01}41284620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.923{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.923{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047960970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.782{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.782{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.782{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.782{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.782{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.782{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.782{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047960949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047960935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047960932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047960928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.767{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.752{3BF36828-6632-6125-9EF4-00000000CA01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047960918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.720{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B931F8B1DD0746C765AAD9A48693992,SHA256=C5697EA4933722BA5F26BBC39900DBAFCE5F639D91C2C64DD8F1EA7E32FF3667,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:46.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7187DC709EC6F0DDD771EDD4AFF0EAEF,SHA256=B5C6A62D6D21AF189E1E83763E5D268100466655185BC1C294332132820CE671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.657{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08B2F0A8E36D2CD35BA23DE869E4F4C,SHA256=CBE8A44DF6B17ABD2F05994C83EA4BA8C14B27D07B9556C822B65D1D8951A3A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047960916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:41.955{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53916-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x800000000000000047960915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.329{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047960914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.329{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047960913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.329{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047960912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.298{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0887D50E494AEF24E964B86F04FA91F3,SHA256=281BCA0D0E60B99C96305430403E07409DE555E1683C08E0729FA0984AEB90BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047960911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.298{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692D2643A8496708291B3B4EAF9AABDB,SHA256=AFE3336ABD7804A9734DF9C40D5EBBB7C23B336B64A845ACD54208A20F6E5078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047960910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.189{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047960909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.189{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047960908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.189{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047960907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.189{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047960906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.189{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047960905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.189{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047960904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.189{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047960903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047960902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047960901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047960900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047960899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047960898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047960897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047960896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047960895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047960894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047960893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047960892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047960891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047960890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047960889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047960886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047960882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047960881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047960880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047960878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047960877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047960876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047960875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047960874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047960871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047960867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.173{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:46.158{3BF36828-6632-6125-9DF4-00000000CA01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.782{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64A11B4F80891B510E07859070F68CDB,SHA256=C2714AC1208CC2EFAA1BF844BE7F0C69BD2CACCABE3F6A857B2A01969283E062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.782{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8527D12E7D64939ECED466ABEF1EEA2E,SHA256=077CD21760F377535CD107A29DAC1FB09545215D808076F93A0893A67D1294DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.580{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047961032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.580{3BF36828-6633-6125-9FF4-00000000CA01}52522044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.580{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.580{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047961029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.423{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E65D15B0A7EEAB00559EDEC958CA998,SHA256=0C3AB10F87E93F8043A2761FB5A388BACB7CD16728EEB858F851C91B4E7D4768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.423{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 23542300x800000000000000030726877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:47.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8778F26AB9360C016BD8C1C24EB459E5,SHA256=0D0ED64A7A28C5A7E12147EEE9C9B663ADD307BD5C91CE0B804B04F7D4000AA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.407{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047960999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047960998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047960997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047960996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047960995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047960994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047960993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047960992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047960990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047960989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047960987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047960986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047960985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047960978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047960977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.392{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.382{3BF36828-6633-6125-9FF4-00000000CA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047960975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.376{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C03AC39D174C7FD6E906EC7CEC018EA5,SHA256=8C624A4E91BB01C44275EF0BB0C667BDD9BAE04F2D48B8C56EF69D54B7C898BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:48.407{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AC07CF33E31AF0368FE2527FDAA33E6,SHA256=3A87C4BD05E00DAE6F7D728A8E74228241B15A5020395975C24E9B6D0E5D7C08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:48.768{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C5DDDAC23A7DD5FF7432D4DB174528,SHA256=DCE90C6172FB2CD1CB1D8A43DDFDCA6900C0469BE778DFC643770B7DD71EC4D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:48.237{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\aborted-session-pingMD5=92512B7FD4EA11397A202511C04C1047,SHA256=0A9FE0AE7D0BD1C203249159FB768C9E65F58E3C842C0069F364A923357AF7D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.798{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4A656F24C7C4287BFD6E8D576C973C1,SHA256=B09BEEC4FC3B670319425165870809284450606241A77C16DFF6B7137FB6208E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.657{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21952BAC79C0337CF432C88249656F0A,SHA256=1BAC3322A7DCEBDC2863A10B2E21FF3A8BB7A0587C3BBA27DEF767A986C7E870,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.032{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BADF2A8F208825A125150C6A36E258C,SHA256=E1A7FA4DDB14E1087061CBC190F3DBAA0E0881916D10DA667B1A627987265A1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.032{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA3E6ED86170D1E082BDF4044539EEB,SHA256=2B8F2A81E87CA4DE7212D414EDCDAA3FCE16C982599BCB2CA3E1BA52AFF12FF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:49.786{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7407014D4C929F3867443C39E23664,SHA256=27EC630E99F53444699C900500DE58352C55052ED3100184F80D26B86EC97813,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030726880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.158{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58974-false10.0.1.12-8000- 23542300x800000000000000047961043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:50.376{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=435D2CD64B4AE01639B52B591902D49C,SHA256=B05CA7309E5A2E498C950B0429757A5649C6C625FBD8228187EFA55A1B914F4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:47.017{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53917-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:50.032{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CCDB47731AA1AD151C66CC3DCA01E7,SHA256=CA2AB4A7057C35D07765E80C3A4D53D5D203C8644BF51C7BB0FF2448BE276D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.883{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBDFAF0AC12AA23BFECEFFA2609ECFF,SHA256=C080FCD8CFEC8CCADDC3E0E23432192A353659C9487BCF425A0866AD47166526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.819{B81B27B7-4133-611D-A400-00000000C801}39046816C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000030726947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.819{B81B27B7-4133-611D-A400-00000000C801}39046816C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000030726946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.535{B81B27B7-4133-611D-AB00-00000000C801}45646628C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.535{B81B27B7-4133-611D-AB00-00000000C801}45646628C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030726944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.535{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D72A602497D3761479E87890177C74F,SHA256=FE5F4F5EF3720FF84EA71A062622E5583525D750779F905BD7D6E713D2A17797,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.504{B81B27B7-4133-611D-A400-00000000C801}39046816C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030726942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.504{B81B27B7-4133-611D-A400-00000000C801}39046816C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000030726941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000030726940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000030726939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.488{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.485{B81B27B7-4133-611D-AB00-00000000C801}45646628C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.467{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000030726927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.467{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000030726926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.467{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.467{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.467{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.467{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.467{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}792704C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}792704C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}792704C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}792704C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}792704C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}792704C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0D00-00000000C801}7925436C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:50.451{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047961047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:51.564{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B9F300C732EBD3F9CEA988EE06D60B,SHA256=E7BBA7C266203A07417AEAC20C184E6476CCC2C3983926DF58A69ED7CC87791C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:51.423{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=081317E0926512BA3C993EB371FE191E,SHA256=C57A9C760B225A060F62DD00DC5A675C9899F678F0AE706FF24AECB2E0CAEB60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:51.048{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B6149917C1ABB0834EE0AEC077344E,SHA256=C1B210AF219A52CA3AF0E1DE48370B8D43F67D5F840CEEABA00900FAF89AF393,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.834{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B87A23C5B3E0C4FB3C6DC3BA229583,SHA256=2F959A435B9595916B106FB586FB67C39EF9A0EB8F9A656AC03D739C79FC287D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:51.001{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D1D40583C64B8596DB8394D58BC0026,SHA256=906BB4469011845AD1C6D4EEE874BBFAAB251075DF69E633832BC0EE6902B21C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.470{B81B27B7-AA34-611E-C92D-00000000C801}2908ATTACKRANGE\REED_SCHMIDTC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\reed_schmidt\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0DBCHXHZ\microsoft.windows[1].xmlMD5=60F401BC14A4E1CCF30E3F99963F2E21,SHA256=B3A43221B33AD484301856FCC3D50F4E7F416B1CA46BFB6CD2DE45DEE18FAEAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.454{B81B27B7-4133-611D-A400-00000000C801}39045892C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030726963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.454{B81B27B7-4133-611D-A400-00000000C801}39046816C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030726962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.454{B81B27B7-4133-611D-A400-00000000C801}39045892C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000030726961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.454{B81B27B7-4133-611D-A400-00000000C801}39046816C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000030726960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.418{B81B27B7-4013-611D-1600-00000000C801}11961512C:\Windows\system32\svchost.exe{B81B27B7-6637-6125-AF00-01000000C801}2108C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.418{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-6637-6125-AF00-01000000C801}2108C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.407{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-6637-6125-AF00-01000000C801}2108C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.398{B81B27B7-4133-611D-A400-00000000C801}39045892C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030726956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.398{B81B27B7-4133-611D-A400-00000000C801}39045892C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030726955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.395{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-6637-6125-AF00-01000000C801}2108C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.391{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6637-6125-AF00-01000000C801}2108C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030726953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.391{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-6637-6125-AF00-01000000C801}2108C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.382{B81B27B7-4133-611D-A400-00000000C801}39046816C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030726951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.382{B81B27B7-4133-611D-A400-00000000C801}39046816C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000030726950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:51.279{B81B27B7-4012-611D-1400-00000000C801}8841372C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047961086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.814{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42609506CF6174005B20869445D3FBF9,SHA256=467A5BAA2FC2DE0B58EB208F915EC460DCA6078CC3676D3EB0417B82B3B5CB93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.199{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local58260- 354300x800000000000000047961084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.198{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local55638- 354300x800000000000000047961083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.197{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local50070- 354300x800000000000000047961082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.196{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local56920- 354300x800000000000000047961081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.195{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local62605- 354300x800000000000000047961080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.194{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local54339- 354300x800000000000000047961079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.192{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local65535- 354300x800000000000000047961078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.192{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local51192- 354300x800000000000000047961077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.190{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local62631- 354300x800000000000000047961076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.188{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local55801- 354300x800000000000000047961075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.187{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local55956- 354300x800000000000000047961074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.186{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50682- 354300x800000000000000047961073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.183{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local58304- 354300x800000000000000047961072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.182{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local51075- 354300x800000000000000047961071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.181{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local58246- 354300x800000000000000047961070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.181{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61257- 354300x800000000000000047961069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.180{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local55801- 354300x800000000000000047961068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.180{3BF36828-401B-611D-1500-00000000CA01}1108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local55801-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 354300x800000000000000047961067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.179{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60533- 354300x800000000000000047961066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.178{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local53382- 354300x800000000000000047961065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.178{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53382- 354300x800000000000000047961064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.177{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61050- 354300x800000000000000047961063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.176{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local62547- 354300x800000000000000047961062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.175{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local65535- 354300x800000000000000047961061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.174{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local50422- 354300x800000000000000047961060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.173{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local49606- 354300x800000000000000047961059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.172{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local53542- 354300x800000000000000047961058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.171{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59385- 354300x800000000000000047961057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.170{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local56148- 354300x800000000000000047961056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.170{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local56148-false10.0.1.14win-dc-128.attackrange.local53domain 354300x800000000000000047961055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.169{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61147- 354300x800000000000000047961054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.169{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61147-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 354300x800000000000000047961053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.160{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53919-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x800000000000000047961052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.160{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53919-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x800000000000000047961051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.159{3BF36828-401B-611D-0D00-00000000CA01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53918-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x800000000000000047961050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.159{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local53918-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x800000000000000047961049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.189{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C686FE1B5D0BB8CE280B4326EF8D44E6,SHA256=57FA271A817EC14BC519FD2C08163E2E40C3B2543B868A7FBFD3BA191DDAD3D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.189{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BD3A73511C54D13A3AAD494287CE63,SHA256=0764B1CA89BE157A430F5D747671ADB9DBDB50DD773FA099FB43ECCB84B53FA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.849{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C886E1AA69B18155E4986ADC1D62162,SHA256=61AD07BCACF317A52D17FBADFE0C62E68B83CBA62806C61F8E45FF069ABA8432,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.733{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B855A8B1337AA2837D3A35A1578874F4,SHA256=4DC1A52D3EFE78F0F3367BE4F10E7ADF40B1F8D4ECBAB99C884696465C9371B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.696{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.696{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.696{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.696{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.696{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.696{B81B27B7-4133-611D-A500-00000000C801}41403216C:\Windows\system32\sihost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.649{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.649{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.649{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030726994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.649{B81B27B7-4013-611D-2200-00000000C801}11601868C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000030726993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.649{B81B27B7-4013-611D-2200-00000000C801}11601868C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x800000000000000030726992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0D8BBA106CECBD91FC79807B4971EFD,SHA256=801F7D5994188E6E3BF9068152958619EB562F8C2AC46A100267C050A3AC2690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030726991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6744D70C748D3C306ED11A0B73B45F9A,SHA256=B86585D834E764669ABA8F633AFCDFFBD22B53A99A55895C1EF99EEAB91EA495,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030726990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.380{B81B27B7-4133-611D-AB00-00000000C801}45647052C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.380{B81B27B7-4133-611D-AB00-00000000C801}45647052C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.365{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000030726987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.365{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000030726986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.365{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.365{B81B27B7-4133-611D-AB00-00000000C801}45647052C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.365{B81B27B7-4133-611D-AB00-00000000C801}45647052C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.365{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.349{B81B27B7-4133-611D-AB00-00000000C801}45646864C:\Windows\Explorer.EXE{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.349{B81B27B7-4133-611D-AB00-00000000C801}45646864C:\Windows\Explorer.EXE{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.349{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.333{B81B27B7-4133-611D-A700-00000000C801}41844260C:\Windows\system32\taskhostw.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.296{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.296{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4133-611D-AB00-00000000C801}45646312C:\Windows\Explorer.EXE{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4133-611D-AB00-00000000C801}45646312C:\Windows\Explorer.EXE{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4133-611D-A400-00000000C801}39045892C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030726971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4133-611D-A400-00000000C801}39045892C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030726970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4133-611D-AB00-00000000C801}45645440C:\Windows\Explorer.EXE{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4013-611D-2200-00000000C801}11601868C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000030726967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.280{B81B27B7-4013-611D-2200-00000000C801}11601868C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x800000000000000030727031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.863{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2E0748750EBA88842915BE7FFCBF50,SHA256=322D7E2341FFC3C02CC709341042B6FC83725F4C67B42178824803DC4E431168,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.207{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62633- 354300x800000000000000047961095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.206{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local61526- 354300x800000000000000047961094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.204{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local56676- 354300x800000000000000047961093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.203{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local57096- 354300x800000000000000047961092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.202{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local61050- 354300x800000000000000047961091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:49.202{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60440- 23542300x800000000000000047961090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:53.220{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF52C3DFD0F8002D8BCA73EA6822DFE,SHA256=708EB5225AA38F7FCF3ADF3F5F4050CD7388D895BBF2C792D1E22A243896B3C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:53.189{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0111FF81EA4579C711EC6FE6DF525995,SHA256=67565BB9FBDB115219F227FB73556F34E1B327F0C77BC9DBF2E4EE1C38A6F050,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:53.173{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C49E0F5DC9602A26B4E463681946181,SHA256=838801612B1A0142B98220A943F7D674EB5431E85FDB5800921C0FE093C41147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047961087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:53.032{3BF36828-401B-611D-0D00-00000000CA01}8962596C:\Windows\system32\svchost.exe{3BF36828-401B-611D-0F00-00000000CA01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.233{B81B27B7-4133-611D-AB00-00000000C801}45646628C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.233{B81B27B7-4133-611D-AB00-00000000C801}45646628C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.233{B81B27B7-4133-611D-AB00-00000000C801}45646628C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.233{B81B27B7-4133-611D-A700-00000000C801}41844260C:\Windows\system32\taskhostw.exe{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.233{B81B27B7-4133-611D-A700-00000000C801}41844260C:\Windows\system32\taskhostw.exe{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.233{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c948|C:\Windows\System32\TwinUI.dll+75f2d|C:\Windows\System32\TwinUI.dll+75b03|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.217{B81B27B7-4133-611D-AB00-00000000C801}45645932C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.217{B81B27B7-4133-611D-AB00-00000000C801}45645932C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.217{B81B27B7-4133-611D-AB00-00000000C801}45645932C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.217{B81B27B7-4133-611D-AB00-00000000C801}45645932C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.217{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.217{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.217{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.217{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.195{B81B27B7-4013-611D-1600-00000000C801}11961512C:\Windows\system32\svchost.exe{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.195{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:53.017{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.996{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.996{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.996{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.996{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.996{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.996{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.996{B81B27B7-4133-611D-AB00-00000000C801}4564136C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+8ebd3|C:\Windows\System32\SHELL32.dll+8ea9b|C:\Windows\System32\SHELL32.dll+8e3b7|C:\Windows\System32\SHELL32.dll+8e07c|C:\Windows\System32\SHELL32.dll+11c467|C:\Windows\System32\SHELL32.dll+11c3c5 154100x800000000000000030727006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:52.982{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000047961100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:54.767{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37684A22F9FF3CADCFBC590CA401DCEC,SHA256=02F1D18A830E82866ACBC8546F5A9248A5337E259A95EEA97016EC06AAC25121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:54.407{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E1D1839A7B592FBD668A19FDB3428A4,SHA256=694B7B4E09C47230EB27DEC95AC619EF7F26AB1F795360C0BEAA12BD25417F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:54.361{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEC91EC885944B91CE48161893A90138,SHA256=6B3537177D524A2F81F65D998DE9941B8903B96EEBFE060AFCDA6408C9935270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:54.361{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAEEA697FF744430DDC95A093B0BE1C,SHA256=475834B6E13692333AD99CA3904CDC6138F839BBFFAD333808C3042954496778,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.747{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.747{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.747{B81B27B7-4012-611D-0B00-00000000C801}6366680C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.731{B81B27B7-4013-611D-1600-00000000C801}11964852C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B300-01000000C801}5640C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.715{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B300-01000000C801}5640C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.713{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-663A-6125-B300-01000000C801}5640C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.713{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B300-01000000C801}5640C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.694{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.694{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.694{B81B27B7-4012-611D-0B00-00000000C801}6366680C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.662{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.647{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.647{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.647{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.615{B81B27B7-4013-611D-1600-00000000C801}11966212C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.594{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.578{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.578{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.562{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.562{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.562{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:54.213{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0D8BBA106CECBD91FC79807B4971EFD,SHA256=801F7D5994188E6E3BF9068152958619EB562F8C2AC46A100267C050A3AC2690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:00.068{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58975-false10.0.1.12-8000- 354300x800000000000000047961106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.134{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local60106- 354300x800000000000000047961105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.134{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59593- 354300x800000000000000047961104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.132{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local49318- 354300x800000000000000047961103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.132{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local54720- 23542300x800000000000000047961102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:55.423{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B92976D3211BD6345899470DF35C94,SHA256=CBCDC36C0DB5309A71FB17E544B0087B4478853106EB4A1EE53C1B2B5D527ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:55.392{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE7ABED9CBB8AC0B39039D3256AFF6E0,SHA256=B293CB666542E500C19FBB3690D6BBE47F3DDF9D365CCB0A87A82ABD85B57584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:55.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59799DD7978B685A678EFCB1752C65F,SHA256=4F75929856A0CC5CAA5721EB767EA1A75CA0D7F40BD7805547D8510D6EEE57E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:55.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E168B83173D778B63A8D0EC1DE830F,SHA256=73C5E37BEACAF528F8269B6AFC561BC1F5C5E16E477647C12618E8BE63110D0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.908{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53920-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000047961116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.145{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local56276- 354300x800000000000000047961115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.145{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60036- 354300x800000000000000047961114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.144{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local49685- 354300x800000000000000047961113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.142{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50710- 354300x800000000000000047961112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.140{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50971- 354300x800000000000000047961111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.137{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59679- 354300x800000000000000047961110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:52.136{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62479- 23542300x800000000000000047961109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:56.438{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DCEAD864EBB26F1CB8475B81A3684F,SHA256=78B07C074184D6E8B07F57F361C8509A4E81490826EE2AC49BDFF297CF2AEFB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:56.423{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46CE684D66438A6BFBBF01B94B6B83D,SHA256=9F8020D45BF9D1E00CA0C80DA21A55C930102050C435A4F6DE8834DA239D29F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:56.063{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DCE72E9FF58F9A75E5AC66C61770986,SHA256=70A4C8EB35DAAA3C747DB649F518E06D55913CFA35169115329F52A4D3289112,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.456{B81B27B7-4013-611D-1600-00000000C801}119632C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B500-01000000C801}5764C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.440{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B500-01000000C801}5764C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.425{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-663C-6125-B500-01000000C801}5764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.425{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B500-01000000C801}5764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.424{B81B27B7-4133-611D-A500-00000000C801}41403216C:\Windows\system32\sihost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.415{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000030727078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.413{B81B27B7-4013-611D-1600-00000000C801}11964612C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.412{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.390{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.390{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.375{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8C2E6CDEE037CBC2FC586888EB7645,SHA256=7C467245EDC1B7C7FDD8BDF97D7AE66BABA1C3BCD8FFD55B9DA84FC99CC3289A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.369{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.366{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.365{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.340{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.339{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.338{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:56.338{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000047961120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:57.454{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27637E5ABCC1BB28472650F2D66B730,SHA256=0D6A7D79AF8BC5A713847903CCF6923175B2538095DAC5F55818C25419661EEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:57.438{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=699B8245FB7DC9CA59A89A345EA57E8E,SHA256=DEA2C02BDDAEE1CDDF88D88D8CC6B1B0D07D929560125F54F030A5985C969128,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:57.079{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F442BB3B6C335329DAC21BAA518C4515,SHA256=5D008FFFA0F255AFCCD8FE5B368B600F8039F5BC84282168E6E39E140DCD27CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.785{B81B27B7-4012-611D-0C00-00000000C801}7325720C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.785{B81B27B7-4012-611D-0C00-00000000C801}7325720C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.785{B81B27B7-4012-611D-0C00-00000000C801}7325720C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.785{B81B27B7-4012-611D-0C00-00000000C801}7325720C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.785{B81B27B7-4012-611D-0C00-00000000C801}7325720C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.785{B81B27B7-4012-611D-0C00-00000000C801}7325720C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.785{B81B27B7-4012-611D-0C00-00000000C801}7325720C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.785{B81B27B7-4133-611D-A500-00000000C801}41403216C:\Windows\system32\sihost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.654{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.654{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.654{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.654{B81B27B7-4012-611D-0C00-00000000C801}7325380C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000030727086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CF691D96A1524331D729ED6B6D57339,SHA256=4EBF53CECE4D1253F46E80CCA9D4F7A4D0AF1E5D5E09C4C1C839BF12BEF0C0E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:57.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FD199F92F287099B18E5DC381E88DF,SHA256=630A4E860A8EDC6684A133523A89824BEBF5B6887CA18A28D2C227831072ABE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:58.469{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D43176A292A5E57472EC891499F746,SHA256=62A0BFE73A3A13E4F0D84718F04DC617404F4EA3A997F8527770D76F34D8495F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:58.454{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A7B2ABAD3F97BDD2DA5E1102E273AAF,SHA256=03972FCF3AAF227FAC5A4DF3A8C0E12983FA6D242D91026847AB476A59DA4A3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:58.094{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0B553F338086E83BAFCE97A880F0F56,SHA256=E927B46FCF85DD237ECA0ABF7ED60ECCC8AE4E52DBF5E3240D741C4760035F0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:58.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4D862A9AFCBDF1A059CCA081744C39,SHA256=BFB6067029EE8B8FA6A9AEFA88F1EDD1ABC076032D3A0F561439DD4877792FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:59.516{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC875F635E3BA3B0DEA5EE206F0794D,SHA256=A46991A5835E9C15470B5C6514CBDA39A66723FA7A289BF81A768915A28B9D9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.618{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-663F-6125-B700-01000000C801}6648C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-663F-6125-B700-01000000C801}6648C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-663F-6125-B600-01000000C801}49126552C:\Windows\system32\net.exe{B81B27B7-663F-6125-B700-01000000C801}6648C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.612{B81B27B7-663F-6125-B700-01000000C801}6648C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 usersC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{B81B27B7-663F-6125-B600-01000000C801}4912C:\Windows\System32\net.exenet users 10341000x800000000000000030727108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-663F-6125-B600-01000000C801}4912C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-663F-6125-B600-01000000C801}4912C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.599{B81B27B7-6638-6125-B000-01000000C801}12085068C:\Windows\system32\cmd.exe{B81B27B7-663F-6125-B600-01000000C801}4912C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.601{B81B27B7-663F-6125-B600-01000000C801}4912C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet usersC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000030727100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:35:59.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F02F77832D67998204FC8F3FA1F34FF,SHA256=B71E79AA7E28CA3370AD3BBD818A75EA21D8AE3B0C56C8774F513EF25BB11C5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:59.469{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF961AE18357F859D29571790D559174,SHA256=B45856659DB027900F060049D5F471B5A643A2BFC2D1E5FA882501109AFF5298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:59.110{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D4D0B5DB6F1C500873103322789FAE,SHA256=B0DB384EE5F56FE2ACFB3508212D4AEB38D8CE2B827B0EAAE94796818C6BFBF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:00.516{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47FD642372BC47C1C22157BB3C701FD,SHA256=BD22C1123FAFFFCD7F8EC035F79E8E8212B2A73B54273349D9C562045C5A5439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:00.516{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2358B845A6E57EE50DBCCA04545B307,SHA256=6CCF9C207318A65F76A84173803F75F0C51043D7470220DAB7F9E43F008DECA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:00.617{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52114B9C4404494A544DEBD9510886FC,SHA256=5ACCA515FB006970496CD6DA7826B8F0A9B6ADB02A2264ED1A185E8AFF60BB58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:00.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDCE22293B56DAF6A67D7CE0490E76B,SHA256=FF2495C5FD9002AEF868CE582E1127D96C2EA4C5BB6D419ACD810CFFEBDB2488,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:00.157{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6921F293012BBDC877938BF87617F2FD,SHA256=873A8D6FDF87056638F9CFB0C652EE3942961347B410851BB2AD385B28BBB7A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:00.214{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C1F6098E6B7D4D67E25D856A1D53B100,SHA256=BAE5927C55EC7A0609FEA9D60B5E357E4864EAF05DAA9F32B63C8BB8E10CD108,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:01.548{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA8885DB09EA9D35E6374FE326EC47B,SHA256=82E5512BB4050653C1557F4836AC13F47E7B93E9C01AC166840C6A0C80A01A92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.981{B81B27B7-4133-611D-A400-00000000C801}39045892C:\Windows\System32\RuntimeBroker.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+17d743|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x800000000000000030727131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.981{B81B27B7-4133-611D-A500-00000000C801}41403216C:\Windows\system32\sihost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.981{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000030727129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.965{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.965{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.965{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.965{B81B27B7-4012-611D-0C00-00000000C801}7324836C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.965{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.965{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-AA34-611E-C92D-00000000C801}2908C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.965{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000030727122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.965{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-663C-6125-B400-01000000C801}2872C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000030727121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:01.466{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D566584F486105FA80C3C5B0331E101C,SHA256=A5CED0FE808020797765448848DA87F9577E4AB04D65F35384D95B017505A628,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:01.501{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF91F33C9F7B41D96434C34A6A50ECA,SHA256=D20FE251C4FF7DBF83C0C56A0EB57A037EAFCA5C4914E5A11D474389A14C3042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:01.141{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C6D24F904147FF213C031A67E76B42D,SHA256=0510AC54834F36BAFF1D1726346E2DC97D9AF53F703F71CC03995EAC4DB2BEA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:06.035{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58976-false10.0.1.12-8000- 354300x800000000000000047961136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:35:58.939{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53921-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:02.563{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68A571BAC1D20059D45BE69302FF0E0,SHA256=7AFBEC77E33903D3B77A2500E1CC3435EBDD9F3781BF18B5E3FE67AAE481762B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:02.481{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6728B17841C0984D35077D51DBD817,SHA256=3AB888E946E2876EADCE51CA7EB1391D6C1DE8E9F133BB86CC2FC845EF2E29CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:02.548{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01E3564582B2A6DACF399240510A2A82,SHA256=FDE1C267817072D8DFB10622B3785079FADA97F2EA969467C437BE2DD11B5D92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:02.188{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E73203893C0C9ABACCD4A389CB2348B,SHA256=5BDD156ADE9BF15EAEDBC0DE8BFC277242B77876DFE391842B2F6F1C41F63759,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:03.829{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB0E9D944FC26E30474D2CFD58BD3A3B,SHA256=0442ECABC22451B6A3CE423BD64A0878BC6268CE4A97C79E988D2418554F1022,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:03.829{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73F47DBB7ED52BF77AB445D77AF4A27,SHA256=F17B431A5A079A1CB9659DBD879A5727305370907DF2A895520C26CF772C5D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.895{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6643-6125-B800-01000000C801}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.895{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.895{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.895{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.895{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.895{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-6643-6125-B800-01000000C801}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.895{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6643-6125-B800-01000000C801}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.881{B81B27B7-6643-6125-B800-01000000C801}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:03.513{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83D1619F5E77BAC698644D400D51757,SHA256=8E54DAD1A0E3777A039D1330C74201F53D084D59D8C9DA55FB0E24076BA59C3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:03.204{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AAAF43CCAD4D58D80CEBB6D4BD87D67,SHA256=C1A38BC1A8C4C948BBD8787CE2135420816FA6BE80BAE9F0A1BA01A4A928D47A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:04.876{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FE89D47CDE89E555F9E02366056779,SHA256=6CD3CC7E55A0AEAC43D1E5E00111F643EBD16BD6A1910DC078C8AAF054CAE8DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.959{B81B27B7-6644-6125-B900-01000000C801}53765280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.896{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61537462F4ED50B9070290F182324F4D,SHA256=E11F0D4E16D43E162CEADB37C62511ED2EA3A924157F038AAA80558A5622A155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.789{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6644-6125-B900-01000000C801}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.761{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.761{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.761{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.761{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.761{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6644-6125-B900-01000000C801}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.760{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6644-6125-B900-01000000C801}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.565{B81B27B7-6644-6125-B900-01000000C801}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:04.517{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84310A7B2D5CBCB1FA85FA7D15A4F4B5,SHA256=C5AE710C263EB2C4B7D79AF71CED6B86227ED649E3C9D601DBE9346F3352D7E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:04.813{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35B63C067E4E0EB3F0AF99E0087AD3F9,SHA256=AA28A16F525F007A14854773A21A4CF5836F1ED15541620799F26430A2408712,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:04.188{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2823CF4E12BCAC22635CC7CC114DB4E0,SHA256=3CEBE1F5AA440231057D388B61C18B43F195005EF208D906A7728F6E6CC8980C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:05.891{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BCA9E6E3CD929E25A3590C50AF07C98,SHA256=28CF3E6414EA94A467D7977314927E239DA5CF813E231491D72AB0465DBB2836,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:05.891{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE62BC637DACBA1795B2E8550EB805A,SHA256=09BFC486AE5E8589F746A38AC8EE6710242006913595F9446F6DAF2CE0C37DFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:05.992{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB494FBE98139C7DBD4BA1B93DA98087,SHA256=F35B41DFEB9789631331609AAF313DFBC30039063F2E4A7653B48463FDFC05E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:05.543{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C107924A896FF3318D67BDDF0729604,SHA256=0CC66C06109917C2EFF290B76B37766FDD610423F27220C2DC298F83C4D28AE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:01.924{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53922-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047961144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:01.923{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53922-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000047961143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:05.266{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38C23BAB08778B237342BE40503325F5,SHA256=9B7A5D3518B807C96913816A22113F778315884AB57BD0C40E4E7DACC19C7D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:06.907{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D9CE12045BEC414A3E80D254B36854,SHA256=71BA479C0027E9C72F3A999D954C9F7E8844C83C995EEA5FE92396EB544DEEC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:11.186{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58977-false10.0.1.12-8000- 23542300x800000000000000030727156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:06.557{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D0E02CC03C2C906F05ED8648A9FA95,SHA256=979A0850776909358313A93B17A6907086D6903F091779A84F7E9F11AF16164E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:06.876{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F8DA8ACE169573737383FF9393284E6,SHA256=7B550FD9B9AE625408A80E0C803160CBE6E8F7BD434A336D4CD578E057DFDEE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:06.251{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AEE278FD4ADBC2C19CFA0FF2184DA76,SHA256=E92C903D4DA86672FB13322946A79B0813CF8BEB0FEACFCE1A02288FC92D9B4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:07.907{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F62C4C37245976C92CDC447CF8BB432,SHA256=627EF4DED081780FFFE22398952D82E4E5B6F6E5B9D9628210831B28DDDD45ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:07.907{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCB608B954C100960B96AE479782B3B,SHA256=235E4E6D84469C06A2D8BE852AF0B95E07B1640782F6A8B9CD29A055FA6CF0CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:07.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC9E505CDEDD585E062A59342CCF59C,SHA256=2E417E6B16955CB0FAA7BCBA879F606EC747CF2170CAD66E0580D4D5FEBE8B54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:07.282{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42AE7228DABD5E0BE1E3EAB214F04134,SHA256=4BE78EFB15CCB45AC8A01ADC0F34E7C867B6504F02D279F75BC4E9004F88E9FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:08.923{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3450155EDA1E22F1DC9E22DD5B7B58EF,SHA256=584FFFA5F912EC6860142902DC1EE3726C8640CF97C936B0DFEEC8342AD58F77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:08.624{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6309C40F1537EC3193FC0D8455CC70,SHA256=E1BA24F314B5726E0CFBB455F7E27C2FFDD9F217CAEB0EE150EBA68017C4FAEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:04.939{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53923-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:09.929{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3A359B2EDF434C6311F0F3568BDE59,SHA256=2A0C8BE0A397F96D7197E06808B8C10523E2DEA43214384BAEEF3B4415E3DD6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:09.670{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE1976138BD0AB9C883FF2A0DACA2F4,SHA256=67419078851D3CD9F12C2C8C6A7E54927C06860CFE214FFD4CC089A54F7D0CDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:09.038{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4C7257674FFDD2AF6D2772BF1ECA5B,SHA256=2D583FE5CFF841CA19E82994152F438D5D8A54B680EFEB29C8CB6DA987BEB55E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:10.932{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E309FB54702F1AFEAF66975B1FA0B8A5,SHA256=A667BC37C1FC0CDB68D626E13AA143B4016EDE745FDB21F20CD3286AFDCD51CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E131C0A6E7EF421D1A99F0E306121D4,SHA256=30CD3C6FE0897BC43DB48839072721388F8B693D1BF382D6C5D09EEFF0AF17BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:10.167{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=950FF7EB9BA17695AA85AC16AC6DC301,SHA256=4C5A6623D3AF5DC92EA3978634C040C89852BE5DDF7FD9B71112070533822B1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.492{B81B27B7-4013-611D-1600-00000000C801}11961512C:\Windows\system32\svchost.exe{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.488{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.454{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.454{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.438{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.438{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.438{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.438{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.438{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.438{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.438{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.438{B81B27B7-6638-6125-B000-01000000C801}12085068C:\Windows\system32\cmd.exe{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:10.442{B81B27B7-664A-6125-BA00-01000000C801}4876C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic useraccount get nameC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000047961163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:11.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EECE5E7600AC6B2B484692D9604CEA,SHA256=EEA97BC151AB85BEAB7609D17D6C08D797698EF1B208E54C79834C989515BECC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:17.510{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local61428-false10.0.1.14WIN-DC-128389- 354300x800000000000000030727180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:17.503{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-987.attackrange.local62872-false10.0.1.14WIN-DC-12853domain 354300x800000000000000030727179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:17.503{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3433:3933:28d1:a286:81df:ffff-62872-truea00:10e:81df:ffff:31e:b81f:1f8:ffff-53domain 354300x800000000000000030727178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:16.959{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58978-false10.0.1.12-8000- 23542300x800000000000000030727177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:11.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0607244B0DEA421C8251F185E77CA57A,SHA256=640CE132BAE2D1500D6805C7615909C3F508C04A603A22DA0B8614AD66897D66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:11.839{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:08.415{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98762872- 23542300x800000000000000047961160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:11.307{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB16ED694AD990D40BC713FB058D121,SHA256=A44C4E3D5BB5C9EB6176ED2037C86D94286D2F1C02A010E53E1FB307D1CCBBCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:11.487{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971A1FAE4F3755F8A67F0AE02C57BD7B,SHA256=5459C104A83E35BCC9356971ACE052AA3475D4144E1A2D2D418E91AE00934D1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:11.487{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF8DD8930D880AC1850B5B1D7DC49697,SHA256=408C5F326F70A843EB6D6CD87AE1F57D04D7C99E62E116A291AE9A8C2D77E219,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:08.558{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98762654- 354300x800000000000000047961169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:08.535{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local64595-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x800000000000000047961168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:08.535{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98750486- 354300x800000000000000047961167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:08.422{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15WIN-HOST-98761428- 354300x800000000000000047961166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:08.417{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98761427- 23542300x800000000000000047961165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:12.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC58108D504E08B8FAEE29A4D7D21005,SHA256=C541E7BBB169D187FD215C64F06B9452DC6DF6DBC00807E7EC39695AD36A3F82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:12.989{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+56c8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:12.988{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+56c8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:12.988{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-663A-6125-B200-01000000C801}4264C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+56c8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:12.708{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854CDD860A833C087A8E8F2E910AF7B4,SHA256=337DB3230DBF3182FA027E59B44ACA8A35939946B26E3853D3CA237CF30B688C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:12.448{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B43C19F31169E1CB615940EED8C05DB0,SHA256=7596FEDC66E250D5C5437039AE7A25A9F635FD65F6B0D7BFADCECD044172A7C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F919CB4720E5E624453B92A2C7C673AD,SHA256=3320ABACDB3C7D40EB385D074EF8CFD99EE48EC01BFE5E62820AEC5EADBCDE32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:13.948{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49583F6682AD22799E638D9EDB993C52,SHA256=6F5766FB4AB6E2A9E046D689FBFD8FD9B01FBFCD3419504132FFF9FBB306CC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:09.667{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53924-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047961171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:13.698{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D246A669D3BC6AF80208F627DF9EBE,SHA256=604C5C907EF991203077C897F4E71587005DC7E481B2C526C32D1FBA5FBB879F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.668{B81B27B7-664D-6125-BB00-01000000C801}57127004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.511{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-664D-6125-BB00-01000000C801}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.509{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.509{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.509{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.509{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.509{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-664D-6125-BB00-01000000C801}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.508{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-664D-6125-BB00-01000000C801}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:13.340{B81B27B7-664D-6125-BB00-01000000C801}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030727189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:17.647{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3433:3933:28d1:a286:81df:ffff-57695-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000030727188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:17.647{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local57695-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000030727187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:17.647{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.15win-host-987.attackrange.local137netbios-ns 354300x800000000000000030727186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:17.647{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 23542300x800000000000000030727209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FBFC4EED8BD1A70D0AA497AA8348CA,SHA256=B8828CDA8D33C11CC17EB03BE449B63595704ACB91FD67F4F3C546292474D1BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.285{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-664E-6125-BC00-01000000C801}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.285{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.285{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.285{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.285{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.285{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-664E-6125-BC00-01000000C801}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.285{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-664E-6125-BC00-01000000C801}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.156{B81B27B7-664E-6125-BC00-01000000C801}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:14.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971A1FAE4F3755F8A67F0AE02C57BD7B,SHA256=5459C104A83E35BCC9356971ACE052AA3475D4144E1A2D2D418E91AE00934D1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:10.886{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53925-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030727211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:15.784{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615D990A30307E963F00AAF7FB074716,SHA256=D6574DD4C45DA7FBB5CA392BFF4D409E68891384508B3451F2349531301AC10E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:15.932{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=258F6393D9AF697798D4AFD04B0A4C2C,SHA256=43A78AE89CD987BE5F445AB18FED09802D42F40CD2021DF15D1398CE6A9BE0C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:15.198{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=081C29355FA286ECFF9C65DEA5A73EA3,SHA256=FF6E836A24900ED8CAE56DB7585740D6BC0B85DF6E7BBD493FF56FC3636E8CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:15.198{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00337974DBC12E0C07E54F5CF9966FFD,SHA256=243E5C11CA4CC8BDECB2845CC5FEB3D6E59114E12FB5CA79A83B70A9AE5D041B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:15.368{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D2A45FAA63AACF65E882B6AC503214F,SHA256=3878DA12F56D41BA54D5722B2FA7BF3B7808AAD499FE79A6CE2FE7A2D9A474CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:16.816{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7807ACF635273CD6C3418F7DCCD595E,SHA256=78B55DA13C571F49A0354AE9A25A551748791D9FC92DB3055D7B8F86AADC2A35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:16.989{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=710088DA40672937597B08AB3A3666CE,SHA256=584346FD5CA25C92C331F8DA74D5FB5AED77405C6A93820D2F23A92A2932C337,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:16.333{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E66E14779F8F72B8B66CE944F6E5B7,SHA256=A0A4AF7BDA2B254159343C9C5D1E2EFF5FC1E9914E2815A5C41A3DFCA09D2B47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:17.851{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68840A22265B3230D8BD9F770AFC4FF6,SHA256=DF5525690AA7E06E782C5B6582322DD82BA5F626F9EAFCBE2603C2ABC1FF544E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:17.348{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FFDB91AB4FFBE1CF3465D1B2300896,SHA256=27F2C6729BDFBAC023EC712901C45E8EC76954BEEB0D4C6CD5EF050120D1CB6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:22.004{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58979-false10.0.1.12-8000- 23542300x800000000000000030727215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:18.881{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8403CB422023CA1BDBA5D9E77EEB93,SHA256=F226970FFE28C338DD18E4C07B4DF06C009F646DF0A3F990F16D9CB15C08970B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:18.520{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=329E510F64107AAC73654DABA36D87AC,SHA256=39171AC77BAB0B3271B356CFD2BC0F8D25AA5F8E4173208CB792DDBD2D65384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:18.348{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C787AA334FF8E9F13B276F291B590646,SHA256=55DEA5E73D7E07DF0A5591C1C88A3C312176F86A35D8DAC4C972008C59D08293,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:19.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D4ED54F289171BAC9104D4B6FA0DAE,SHA256=5E50374C09B66721292F7060B47D10673131B0F63B66D21792E8846C5479DC79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:19.833{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6E1F6C4DE153AB07A35FC4409123AA,SHA256=B238565B89196232774AF71D764BA89465B7871D69D65B910F4C20A4DA7F4F85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:19.380{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A257F27E40E256A6805149EE12A51A6,SHA256=ABC9CA584BE9426FD1DE79821C98CFC56DB10A4211EEBB1FC95F19C805424D6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:19.433{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.918{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CA7DCB0913689BD812F2943974DA1C,SHA256=F83BCF7746988446F0D66CA842A94FD35BBC066BC6328FC51FD43E72105D6EE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:20.849{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27043E3657D28E799D6D1EE48D9BCD9,SHA256=BECC1A471FAEC2D02D296F22A848D534E8C8D2A259E9AD63944FCBFAD8E30B78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:20.505{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=663EB15E26C43E4656A9257920A55883,SHA256=7F4F4F10B2F4E230FBA72AE507D383B9CBCB772C4CE5200D5250A3A1EB35BE0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:20.380{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1787406D0E338495B23109BE69DFDF48,SHA256=5F61633A3E13CD54A71513CE72393B53AD7645E82377240A0934DC810F399B19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.873{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6654-6125-BE00-01000000C801}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.870{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.870{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.870{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.869{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6654-6125-BE00-01000000C801}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.869{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.869{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6654-6125-BE00-01000000C801}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.696{B81B27B7-6654-6125-BE00-01000000C801}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030727226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.195{B81B27B7-6654-6125-BD00-01000000C801}31526768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.017{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6654-6125-BD00-01000000C801}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.017{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.017{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.017{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.017{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.017{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6654-6125-BD00-01000000C801}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.017{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6654-6125-BD00-01000000C801}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:20.011{B81B27B7-6654-6125-BD00-01000000C801}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047961185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:16.068{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53926-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030727241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:21.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AE34488E46780A6EE904B53A3FF4F,SHA256=73E913D581D4E588CFF1A309D843168DB8BC6E6A15E69D19E9CC3E44A4F37512,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:21.442{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214A7B07A50DD445D3D031C7BDF2D9BA,SHA256=5DDA2858702CFE65B0E0C0CD7034BDA4A76A8424CD3B3EDBBAF5EDC61D723569,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:27.030{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58981-false10.0.1.12-8000- 354300x800000000000000030727239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:26.347{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58980-false10.0.1.12-8089- 10341000x800000000000000030727238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:21.033{B81B27B7-6654-6125-BE00-01000000C801}6485192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:21.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=036FDA90CFD323F538C719A4A398CB06,SHA256=CC508A4022A2AEE724D280E33FF50B7033F9B08DB5AC55B5308533558112472F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:21.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=443F4B653AB8BDEB65D75E1CF3D4F8D1,SHA256=546C0C7C7CBADCE2CDA338B681823CABFE37FC4C137D7BB55D51490841AA93F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:22.948{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F54CB1EC6C302460E46AADDB34CCB1E,SHA256=1824721989A08F6D293AF691D98C581EEF95080A927697A789574A300A56B418,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:22.489{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D762D5833A6F2CB12024CC6E1341F6C4,SHA256=1246DCD0429D22639A47DB8CC3F9049963C41827ACAF30F267284C92F247CF9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:22.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=036FDA90CFD323F538C719A4A398CB06,SHA256=CC508A4022A2AEE724D280E33FF50B7033F9B08DB5AC55B5308533558112472F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:22.099{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12891B24AA2B99D4A0236B41AFEEC28F,SHA256=53956CF40E8A1336C38881994E7DFBB13FC97F97603B1B57F1D08D7AAF7670E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.962{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F47535C4FBF71AD88DA4ACAE499082,SHA256=1561B7D700A4CFA4453DA6475F0479CAEE4E4954C75535563C80568BD400A1FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:23.552{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2A2C851AE6DC1F7DD462B730AD76B9,SHA256=063BC80A750014E3B0164B588AE195895FA633FA8186F60B6EBD7C327EEF4985,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.432{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=A8BDCA701E8927B1FAF823ADB37DE8B6,SHA256=A4D880001A69DA90F17F69109664B0A04A059D32486EDDA492C402414373E922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.432{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=E26BAD659B43E340219CED601A5F0DCD,SHA256=504D44829AF808DEBC79E895447752000ABBFD1ADF87474AC7D8FA8C2C456F37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.432{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=14B04FC5B3D5C7A127BD2A9BD44B8C1D,SHA256=4D7909CB6E4FF378D23A4381D55A557EF2408E69461974298698E7FA522E4F0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.432{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=D20273D15C31B372B0394AF7D9F9E92E,SHA256=13597584E77D248A170D999BE81CF913C971C37ED51547F071E920DCBE128E46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.432{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=934726BF3787C168204CB8150EC06AA7,SHA256=06134E63C85EA471381D3A2F5A90335B1FF374E56558342E9CF1B69545A69F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.017{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6657-6125-BF00-01000000C801}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.017{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.017{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.017{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.017{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.017{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6657-6125-BF00-01000000C801}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.017{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6657-6125-BF00-01000000C801}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:23.002{B81B27B7-6657-6125-BF00-01000000C801}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:23.505{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC7730B1F7A536CC219923F67E16E2D3,SHA256=8DC055B47C2015E249D00F73C1729EF342F28AF625DDD347F96B970C1F388861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:24.980{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F21E5C1C86CCEABEDA231CD693AA1B,SHA256=7D07B7A8C44E1E330F190BF12F2E59CCC871E8CFAC4BE4DCB6A6030CE0F76E17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:24.739{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=331717EEC4F49D6936C65C5897DE8E67,SHA256=478282A53D583CE4109BEDC5B550C231253B542CA6332DA91A75F119EC42520E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:24.567{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2334465EAB2AC0B36848C4CF515E5FA3,SHA256=D5263C5387659D448830A4B8FAE4B4087C27B88F641D5AC9F41725C5443B31DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:24.015{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B029881ACC9FC7B4656E6702C9AB449C,SHA256=A8FB0CEFA47AAD42CD5FED660915C14F1CB336DB88EA3683E07FA744516246CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:25.895{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32825A80AFA717B579AAF14DC4C04C79,SHA256=0310F9E7744D942B9B2DD47A445A2A8581297D3C12E0A253D3A71D2A5A9F2EFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:25.583{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A00BE7050FA9543F452CD1936DC449,SHA256=0B34BF1BA5BE63897422C5D56A8F2C40E37FF3E405258F06F21EB0EEF16A8EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:26.614{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE2055C2C465444230FB92CC764AE2B,SHA256=7F04DCC96B50DE7336708C46A3E957CA0BB36CE0FA71347420A0492F85A3AE57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:25.998{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020E9C33A4C30129C6276ED34495123F,SHA256=21FE2B73C6D74DF61B8B4461B9A9721436F06C0B2EF4B22C372CD5B72E22FBEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:21.989{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53927-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:27.630{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F468D9DE032E5DC1D48AB04108AC2F0,SHA256=4A5289916A1D8ECF6D706C5DB191CAB03A04F3F6844C4D8ADA79C08175BAEF98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:33.049{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58982-false10.0.1.12-8000- 23542300x800000000000000030727261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:27.000{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4D3B1AABA1FCB0D5F0D40ABAE720D5,SHA256=DCA03682098909BC962F5A0F9479330E4546E83FCC9CBAB66A6765612E9E461C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:27.036{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B4F6D2130BA86F3F5EB4AF877DDF41D,SHA256=64D3D7A8FCD9585E1A36DFFBD71353E377E6D61B33C116B496A386272BD65B04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:28.645{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2420A3E9A64F4118A87FFAE2EDCE0C17,SHA256=CC278AA9AB79338E7BAF78ADD82841085A0F7B6F465F8A34AAD68F8C5C5A3402,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:28.014{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A3155331BD66C98AD025FD99B88426,SHA256=82A42D68D15A22898CDCDAA8FB907618753521E5EE2E333DFF85138C73D9B261,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:28.333{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1475F376BC7DF9920B9928DE07BAF9E5,SHA256=D77AA8DB36C13A39886D9FF2B336DDEC15D23F3A146E938F7FCCB73FB00F439C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:29.661{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938423F1B9B0FA124C142DDAF1DF6910,SHA256=5342FD35B886A11333A4AAC2EE79F2ACAB2F4928884597F57DEEAF291F1F146B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:29.045{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D05B8CC2312914B9E2D8C4A821E0AEA,SHA256=E0DE1041D3629DA1C98888FCB46D5131475619354909833CF29305061A92E839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:29.599{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C8D867162D330F5476600CEFC357B2B,SHA256=E8AD2BC10529725AC98DEA1F52E8F9106657309F33BA9CFB067F76335089AF2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:30.817{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24183257575AA9601B2F7497EB4D73B4,SHA256=D5CB174B798E3CB2DE9EAF9E69A10502E04072463F5FB0D855F765DEAB2AEC25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:30.677{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AA4E2186C6B287B5EE9B02EE7A072B,SHA256=C2CA32B2865070259B1350A72DD83EFC5C7BE536229F3089201FF19B06F4A2F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:30.059{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93579BF1AF8A8A29D996FF8B56355D87,SHA256=7D21AB05B214DE372118BA851B28FA7E3565D06779CD2D2F43F48634E910B3E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:31.989{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9FEF967FB4F1648099769B6485FFFBF,SHA256=B93F4FF5847430D69EDF3810A39A08434CB087C0CFF968A6204F52037F8899CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:31.692{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA4162250E1F9A891FF60A3803547D4,SHA256=0C16FAC385AD3AACFB628AF978FD45F2AB65FDE954A09099ADE9F7C8DF1AD410,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:31.077{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E243F32B33558EF8F21838DABAEE76A2,SHA256=E6999559A17435CF44D4BB0839CB30274A3D2448C8FCD400C0EC885A9894CA41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:26.989{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53928-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:32.708{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2780127E9D1D2BB3295070447900F2A,SHA256=8115F496D7B6ED612D3EF62B647864AD1F197646E385EB5A320311A9ADBEF76F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:32.556{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=DADC954B36C485D332E73A9A054119E9,SHA256=CF8B2B715C5FF6279DA49DA7420B102CFADAF49CFADEB78E1F1D776D4CCA2795,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:32.556{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=2799616B8EA01D2DCF417055FBA97B89,SHA256=F50E1CFE4BA747B3CDD79C37147FF2CB551B3A17A4CBC701611EDC91F6844B6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:32.556{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=241FA623B83D87116D49F9FAAD9384DA,SHA256=C74639F896496FBBCC6342A8669D1410D872F6F113054B82F2B91CDE5F4F6CC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:32.556{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=B0FF6E4568F8A1C6E9B3A45BF53A69C9,SHA256=4838ECA4628400E764F65E469F8B01712B90BECED53F4D4C6C08E3C8D8D33719,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:32.556{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=9562349A234020EF6089F56AF3471725,SHA256=2ACA18B85D2267C3A540B00D5906FF13F69E4192E8C6B97CD02D765448D1635C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:38.131{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58983-false10.0.1.12-8000- 23542300x800000000000000030727267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:32.094{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F652A21DFF4279D3B0B1E27F8AE78178,SHA256=BF191144CB03FB49E4AE70C330092F8CAB6C317157EA6D8D8E4FF1F6D4D2B065,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:33.724{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B344737B7C6A71694007B9CBCA10577,SHA256=7099DB272D483C99DE46E86955B7802835FD487DF20876DAF8117F8A77C95F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:33.124{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE768E195641470E2B0DE4BFDA48CC40,SHA256=51AED4CD09943FB44927D26ADFE131FBC498B78DD785E5D59DFC65E4980A8AD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:33.208{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE99723FB88C848E637BC827E588FFE,SHA256=2DFEFB8973DE068B1FAC4FEF7B5C7A254529FB4BC759425D08779CD71EE93FEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:34.755{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6C9447FF3CF20B7A5CF089C4FCCB63,SHA256=7CC3AE57273FA3FA5FEEA3EE7455428E79DCA878BB6B30B329398D53A5F1C0A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:34.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C17FA074C774E5F426D28018D7DAD7,SHA256=96FB9627319A237C0418A67DF2B6FE47C67DF8207C1E7EB975BDEEF5FC80DA3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:34.270{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8FA24BCECD3395DBBBB766B15E15E9F,SHA256=D7BBBA1FB629C2E5DCBBCB586777B9E32F14FE4EC939552BA41449F1A134A8EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:35.770{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A2BD5B847B5CECA11C592441691735,SHA256=57A688268B7BF6B6E29AB9D3DCA2D0CAE26EE507B5471CF80BFD8C6DF7C51DFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:35.172{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53869A0C308FE1070438C91E253832CA,SHA256=49A7D7C1573F485BE3371BE86B199EC7886525DFBFF705E417AF7DDFBA81A8A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:35.552{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66EC8C4EFB5B478383DE7B7165D0F920,SHA256=FB28529936D04B304D5E549EA506EE799E012CF25DDA7901A898ECCFFD8A7602,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:36.943{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9832B9962A8C22ABCC73C6AD88895DE,SHA256=9723A342CF7AD5E747159EB52DC591204F361F917DDDD0955F8AF8A982BC5E9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:36.771{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2AAA481A48DCBEC30FA23DA7784628,SHA256=A54AE5E987670CD256A88CB15FD1C4CFEA8738E9BAD70BBBBF3901FA8A44DDFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:36.206{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B320AC36F86D317338751FA30B74F666,SHA256=BCF171D9F5B1923BB6C836ECF89C78B82DCD3DC088D75BF3F79B3BA2FF670A50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:37.818{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C04C83BE26C218383BA129B5D70CD4,SHA256=1193DBDF8B3603DB1B917B850020FBEAEC013815FC7560EFC32BD6D81721CBB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:37.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7863B3995BA2FED433AB94A9ACE66728,SHA256=0B5D6ABE35A570CD1FDB5C1AF0E8E316F734C0478A9EE671C79707CE494CE4B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:32.974{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53929-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:38.880{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0FF54318AC22C7889D86493881B845,SHA256=2647155E129E338E03D61139E3FFAC4335B2583DBEAE3F88FA34CEED2E1CFE42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:44.125{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58984-false10.0.1.12-8000- 23542300x800000000000000030727279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:38.268{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5CC96339E57524E40B4C8C95C6ED6B,SHA256=587F70455BC2E878F1BDC17FFD364EA128BA77D5B7631AD41F1F0642E75D6C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:38.115{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8902669B719A35E725E4808E055C3A,SHA256=5D95A1500E2D020F9F9015B8571B866F0307B018F0CEE49F9712BF5CEDF9E884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:39.896{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95BD512B000FF16A34464EB42B489D7,SHA256=ED37D666347EB503F3CC19F76BB2AF15A00790F53E58356BC748D679A38A82DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:39.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24AE77A324A9ECFEBE3F9C621F71389,SHA256=EBB58FEAB9E23D00F1604E1304912B0A93B5F44EF877FAE3DC4B335CD83CDD3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:39.240{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5173B0E46F5D3FF3EEA478DC51773051,SHA256=5E96608E9B8FCA103F945A81120F56E1F01BA864D21821FBF578111A248FEA6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:40.912{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5048D2729BBF05A198D35E4EE49A3277,SHA256=4B52DE8ACF06F9F9DB8C4A4891BED0C1D7BA2EC031C4EA32FBB1D811A66EA19E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:40.367{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344E76DFD4FD422093161ABCBB3D132D,SHA256=C0E3B9A46544CFB4BA80580428030E0AD6407234712AECDBAF41BCEC08A8086E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:40.396{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA3DDC09F1F3C6BB068CA71E0FD3C82E,SHA256=58187328BDE70A4ABC3C7ADC6CD53DA4E15EC31582A4CCF6B6D47DE1DD2C4F39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:41.943{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BDA4178658103DBDAEDD2C56C48898,SHA256=C8D847E8452C6F990DE0E001E1C83DC236F127CCA3F17B4F94FCE0205E11244E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:41.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766AB036B705D5C4C3AF6A9D8E298535,SHA256=F8700E319804BC15BDA4B5E3D3E85AB7F4AE8CBE067F1BEC01063971FFCD5FE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:41.662{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8082CC55AB0437BCA2CC46768F0504A,SHA256=F5BCDC55B03FC28F5942FAB4471B28EDA1C13D5CA7C8419EA5643E09AAABB559,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:42.974{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A6DAC65811349D80321287009B82FB,SHA256=A558D5FBA2A212FA01554B123D4796A2E91BDF29265B2C11F4C4AFF6952E753A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:42.416{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD86D313EA87DA38F068290D6B589B33,SHA256=D6640ACCDD51D7113CD4CF955C3EC2B154ABDFE96AB06A93E7059CF66B268742,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:38.974{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53930-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030727285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:43.446{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBB328741BB01A709A548CF4798E5B2,SHA256=0D35D5E82FDD5A707C78AAA736751D33D3982E09AAE4EF463DB23A9448100A93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047961306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047961305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047961300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.974{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.960{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047961288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.521{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047961287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.521{3BF36828-666B-6125-A0F4-00000000CA01}33441136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.521{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.521{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047961284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.302{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.302{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.302{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.302{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.302{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.302{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.302{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.302{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047961249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047961244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.287{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.273{3BF36828-666B-6125-A0F4-00000000CA01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.146{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85C3CECD0AA2390391C80E6561E198AE,SHA256=DBD3D3410E4EA046CBFCC81B6B56F61AD36D2EC20AB19A671E6626DFD95CC3FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.943{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF6E4E1007DDC702CCC7911246C0254F,SHA256=1890316FF5DC3998A43ED0F85FE2BEDF841141A033A9924CFE345ACD63074DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047961404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.834{3BF36828-666C-6125-A2F4-00000000CA01}54085532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.834{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.834{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047961401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.834{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC5857FD64046C929464E565155438FA,SHA256=75DA633BF152BC7FA36A024F17002F4674D51A95CC2AB9E296E0E08A786FCD0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.771{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D48060E46AEF5A3831B0BE414065B5,SHA256=2A0108629CF5F99FAAD9854D49A67731F2ADAD6F48E69F8983171CA82C85AB4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.677{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047961390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 354300x800000000000000030727287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:50.067{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58985-false10.0.1.12-8000- 23542300x800000000000000030727286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:44.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D14804D6A5C0502960C0265EF26A85,SHA256=E1ADFBC20D22CC992D74BD06931D03B3BA85FC391A92A754A971C61C0E81342A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047961375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047961363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047961359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047961356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.662{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.647{3BF36828-666C-6125-A2F4-00000000CA01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D2C010EFC40FA91C0D9B0A25E13C24,SHA256=EA2124DEA796F38C75AE801C82860DC08969C4A4AF6E14CFE42B69DAC9FBFB17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.412{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC65E63928A3BDBE981F05D04649FCCD,SHA256=8B68B014FDA4FB759102600388E0A100627FC9E5DA25122E0E3E20BA3809B153,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.130{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047961343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.130{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.130{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047961341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.005{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:43.990{3BF36828-666B-6125-A1F4-00000000CA01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 23542300x800000000000000047961466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.552{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C2237326E0F37E59C92DDC366848B7,SHA256=B966E4C6353F5618E715EC0406ED9F4436863551F440EB0590E74740CCBEE0C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.521{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047961464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.521{3BF36828-666D-6125-A3F4-00000000CA01}53523256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.521{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.521{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047961461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.427{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD809DF9218DEA3E26093A8ADEDB8E0E,SHA256=84C4765CCAD47ADC7D2F643FD597BA9350208B5B0175AE2948645FEECDB6CF40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.365{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.365{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.365{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.365{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.365{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.365{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.365{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.365{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047961425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047961421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047961419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.349{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.334{3BF36828-666D-6125-A3F4-00000000CA01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.099{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3662B7383A42D498CEBD4B0B727710B5,SHA256=F8EFC5B17B13F38A5A42D62D541120577EEC0812D8EB2BB6FA66185A1527AB58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.037{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CAE3B7EFC2FC9B56D9DB2775A5AC94,SHA256=86E89303AF5B40DE6754A46FAB712E237926D7893831557553F0EEF30C174DC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:45.021{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C8282DD5702C8A66980985474B4EF04,SHA256=8EC7F999EAF35BE5B280C3396BAAFE5A9A1A68B2B1A8162C1C42EC746EE9A40E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:45.497{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D406D01E66E86CE251A55AF2E0B255CA,SHA256=EF17154F0CD8170AC47B9709DE93DFE158CCC819817E9E84B3794E5324F3B950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.974{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984D985EA28E2027B124587453655181,SHA256=EE18517F65DF3054F81B5C8F25D5141FA3347CC7E377208B3EA59EFF668E89B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.927{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047961584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.927{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.912{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047961582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.880{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F1D68E302B77A7661C70ED1D99420C,SHA256=A116091A11488E4DF21447C2F782EB33884F5D3A2E60925F059DAFC93ACD4F04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.755{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.740{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.740{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.740{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 23542300x800000000000000047961577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.740{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0F8C7FC371BD9E55D5220349591FD2,SHA256=D7812BD11BA6EFDFA4A3E97CD5078E9F01832C63680575B5539867F8CC589AFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.740{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.740{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.740{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.740{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047961571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047961548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047961547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047961546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047961544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047961543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047961540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047961537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047961535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047961532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.724{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.709{3BF36828-666E-6125-A5F4-00000000CA01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047961523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.224{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047961522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.209{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.209{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047961520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.052{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.052{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.052{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.052{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.052{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.052{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.052{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047961505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047961488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047961484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047961483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699825C2858F95178296196EE4018A8A,SHA256=2744613737B360DF08979BFDD7C7B6314EEA16C478F838F433F71F09C5B5C5B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047961479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047961476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.037{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:46.022{3BF36828-666E-6125-A4F4-00000000CA01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:46.512{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9855A5D40EF86AF800540CBA99DED58,SHA256=B1B3EA70D482CF84845110D58CCCDCA1B578CCEC2BBE6DCDA6EB147C771ECCA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:44.084{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53931-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x800000000000000047961644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.599{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047961643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.599{3BF36828-666F-6125-A6F4-00000000CA01}48122264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.584{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.584{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047961640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.443{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.427{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047961607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047961604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047961599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.412{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.397{3BF36828-666F-6125-A6F4-00000000CA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:47.037{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D659DEA7C83D291CFA4BF2220556B83,SHA256=72DD95F2DCBC8CCA7BFD8F84EA37CCE612CBD22E2B1C071A949C4A27952CFEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:47.595{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=FA40A1E315E7BB4E2A86CF5E03AF082A,SHA256=F3AD534DC851946B8B54C5788B0B06CFDA596368E2BF94D9D7BE83F67334471A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:47.595{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=97FBE37A769A97E53A43B5D1774B71D5,SHA256=754564DB4AB1581155BD76C39605D40313A563033AD034E18CDE884AE783865C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:47.595{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=FC8D261E9A9033BE60F86CF1428AA654,SHA256=5FCB949B01977F34C25405A1F73E0EB56AE3FE2BB815B991DCFE85EFF0695B4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:47.595{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=AA0D19C91DD61C0465BE1504554E33CB,SHA256=45B5DB7AF513603149EF509B4105DB80120D28E990E99C5371E76BF819E929EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:47.595{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=251DDB06B293F930660C8D013F2580C8,SHA256=066A8C0DE79D620C1DFB2FBB60C16E92CAE873EE59F38FDB71DCA30F23431518,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:47.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964E7F9044BC803AA9C4DCE30259FB7B,SHA256=343083E1F6540D6C99472F2F788E82152C35A19B995FF3365494ABEC447B617C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:48.990{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0DBF95A4C47D70992B896838D7D4C30,SHA256=26763BE84C46BC0CB1045BAAADF8B7F88EC54C90BE3A72E156592111646C4672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:48.849{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5CDF19A64D1B179032E428EBAAEDFF1,SHA256=17062F8A452FB245FAA52AC688051ACCF703B9182BAC7C3119937A42B0289B56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:48.224{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E120E52FE03742B9E95AB7E884ED5CBC,SHA256=BA49993A7C3775AF4ED400F8D36EFF1F48D6A914D27F3A722C73D105F2CE7154,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:48.209{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82E102B42C14AA9F46D2B7153F014AD3,SHA256=75FAA3DFD57FDAE8B18EF6977F0325A2357229C7F36E0166C68F50EFAF80AC2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:48.209{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F3FDD87F520089CDC7FF24E52B0CF4,SHA256=C4D7A221652EC09ACFA2272D43A2DC76FA85A0BA05D5F30948ED42DFFF219FB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:48.560{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB9EB2287C39C7DE212FA479A0B59D9,SHA256=C0BC595D69AB6DE65DD639CA0838FB2F9262C49B72D6F679B303992C80A150D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:49.709{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E7A0D51EC9EBDBB7F0B84EB969D9B72,SHA256=EBAA037195D9E5E757267F02E459D3B009AD2E8511F5309E422EF2E033704505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:49.209{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5668E27490944E72303FB42597E67928,SHA256=FFDFBCD837A81548EDC279C3E1650DB22B3B3CF5CC0E5E82FD4591AFFBA9EEB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:55.093{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58986-false10.0.1.12-8000- 23542300x800000000000000030727297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:49.578{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE360667BC7C5CE67A98EBCA0540491,SHA256=676773FD8A53558BD7A9F050DEDB32603A790B9FF1C01E0D57F35585D1F1FBF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:50.646{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2F8A035755A5F85B0941A459FBE834E,SHA256=B2E3D74CA42BEE5DF296DA5E0B29C1E1DDBE73F83CC04C4F7CD3DFF1797A3A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:50.240{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D09B88C69CA5BE2E801E91818E831C,SHA256=76B59D26E6B1A2F2BE54285B1F94FC899F08243EBD501975CBC2520921FFFBC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:50.608{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B560E729E0F6BCA78E2B471D1AE061,SHA256=ED7DE5BD3290242663406B30FF7A344595B06268FB8D029BF78BC3B1FB5DF508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:50.068{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9142F8B60634B627F827B4DCA667AF88,SHA256=F553E26CDED8A818157C9C181498DABBC7BC549B22B429D294CA556199AEBA45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:51.646{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FDD4230A27E7D705680CEE517AAC2B6,SHA256=BC302263BF970E42C7658E048F57FF3561B3D0706A79EE118FF6A3EC6BADC8DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:51.287{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=728A36423CAF34B44E8EB80E973440A0,SHA256=4228F6954D96238947172AC01A2D39FF13E606BCE3B1D8CBF55F704A9AB3B1EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:51.287{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E843EFD7BD8184C45B84B1F03981A925,SHA256=03EF1389B825BD9C34451D74BD9A2FAB3F4E91EC7B09DF92BED669ADB2CF6922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:51.638{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551EE5206152480F5F940997C2860A73,SHA256=B21E771FBBE9DDA7B3C6FC852ECC4CECF36317E119A032610C4613891C0BF057,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:51.292{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:51.292{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:51.292{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-4012-611D-0A00-00000000C801}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047961664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:49.152{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98754497- 354300x800000000000000047961663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:49.152{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98764060- 354300x800000000000000047961662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:49.150{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98757634- 23542300x800000000000000047961661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:52.693{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97B3E489F55BCB1A312A3D09515E14E3,SHA256=F977D48833E72188C3F54EF6D8E131F42C33C72A7FEF5568F844206D6DB0E9FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:52.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04190427FEE96A931754697CBDE78FB1,SHA256=67D03F0FA6BFDFB7958BE957DA7747C7AA9769F97AE104EF49498A20E95DBC94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:52.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2B30DE59568BC353567C29C127BE53,SHA256=3B53AE007EFDA0FCF7C6E3B415F0B1DDB61AF98D54F1A1374E5255C71CD38769,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:52.271{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F27EA7439D097241BE9F8A1244A7BF7B,SHA256=A37C2792C570DEF1C37737E07E8E1A779F47E264D337D7BDF90F82AB44DFA767,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:52.322{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FBFC8441CEB588987F57032ACF4D5B27,SHA256=C7E112047BCDBF59174E5BF5E133AF214023A4DFF105FCF4B4C281FD934B98D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:52.322{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=36CE1BC3560DAADB166C3F7EE853CC21,SHA256=EB22D6092E18AE9D574B59CF601B96F9864E9B8731C823E92BA0AC67AB5FB4F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:53.740{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69FA0ACC3FF359A7C762BCB753BCCF21,SHA256=1CF5E58B0EE93B3E1AB2B53688A1688E00374334FB03F659A3067A87D468EC2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:53.365{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542746037DA7AE82C6D6977597A1D42A,SHA256=DA14FF4AD4774A3819242CC95614A98649B71D7975CF96F79FB4ADD24D3C352F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:53.658{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C4F6F493684410A1EB62224EDBC22C,SHA256=AE4A994797B2BC84E2202DA7A69A19E7858FD92CC4665762127E52701B3D7B32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:53.318{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0DF43937F0932E61D4B7DD65EC192D6,SHA256=90E3E71BEF8D27A99FAFA45F3F5018EC1EC7F5E07B005926D8BF4761D8B557B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:54.756{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179139D79F107509FBC44843FBD0BE8C,SHA256=19BAF7CF3A133AA5815045ED515223EEB67F0EF35DA4BABEDC68B0E9FB071D5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:54.380{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68D67764B84E985885805885F3B78B4,SHA256=C18AF270CEFF24C0CD41299FF70F33E5E70F9D4D2E66E4DF7F8F3311D738C83E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:54.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39813D0FEBB86D3F737AF17DBF9371D,SHA256=2BB4C730FEE5A2FFD7EAEC557CD7697BFEC6B7BD189B294C8325FC456A2A469D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:54.365{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F6A98E5E82D2C61AEA96A44DFAED212,SHA256=B02A2BC40F81CED65F4C0F28B81B3D527EEEFA10E026E906799D889AD7A96A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:49.974{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53932-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000030727308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:58.250{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local58987-false72.21.81.240-80http 23542300x800000000000000047961674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:55.740{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=291EDB3CBE01DA5DC38D26B6941B42D9,SHA256=29CA2CD5CCC56F10A398272309FA58B8A59C26B8D7621293FBF99CD345E7E8C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:55.380{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3989B8D5FDA9DD694EDD32E930C66B23,SHA256=546B4C238D57C0BB7BBDFCE6AD1F9B3D0B8BD41B0E352CE7A017487C24869EDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:55.380{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=930516DAE017CD7C1A2DE33455160226,SHA256=AA719F7EE9494784EA0ECFA865C2246A1E52F56232C0762CE80249E1E1D06B5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:55.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF677A1F76AE3DFD6825CBADD5F027D,SHA256=936E3A1FCF4EFB24CEAA0BD427B40049865ECE6C807EEEF6A53608830F0D2321,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:00.126{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58988-false10.0.1.12-8000- 23542300x800000000000000047961676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:56.383{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB87D8E7F1DDA9C96AEB45C620DA6986,SHA256=C332B7B296E54FBD9C326412192CDF85637AEF367C59E171F0DC104AA719A526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:56.703{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322562C0C3E85D2DE1F9636F9D0581C1,SHA256=32084E2ACEA07F03E0FDA6D91C48052C78965CEAA8725F0369FEE4D3635683BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:56.367{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A1A571A73D03B54C555890A5D3663B,SHA256=D1B900ED77CBEB1F7F1D6D349E713CEB9949789C26B6C2B7E2B23ADD897042DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:57.398{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AF997A48E189F3C4E6EA891919B58C,SHA256=2C6A098A7042C256229EB7A17950CC3671F7E45A7DC7E35E9B6F41B97113F90E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:57.717{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CBEDFF5789F27B2380756E3BD828AC,SHA256=B9F8F6B53E77D3CA0D29E73770F77C1C85C2E378B394FE0A0934BE6AA0F49751,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:57.383{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B7C84E39263E0020F584CD89C23CDB,SHA256=03961BF12BC875790D743EA80B88DD95B4D1F8C9AC3DB82D8878F0DBC3040F1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:57.023{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28036441261F3F06294A1D8E834DAB40,SHA256=25A128A070D7EF1E8B582F19B6B8F1CB5747ABF2CFC98EE4394143593FACA4C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:58.414{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A21B23C820C0C6E801F765AF0F7225,SHA256=5E762C903D4824DFB29B251FBCA07E55EFD91133B5EA0B0F079534D03CF6E675,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:58.398{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A423A108DFB55317A8AB7E7129E8F08B,SHA256=D692E1FA05B065964978C664C836CE4FFF9BB1B2CB25341F2912F666EBD9AB2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:58.398{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA5420A95961240BE9AF14EDBD4D2F6C,SHA256=6B771DB9CF7DAD0F1F1DE7C96CFF50CEE7C9587FFCB259503726FFCD65544BB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:58.750{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8ADEC1F9047FEE8CC842C97CEB21ACD,SHA256=9B0CBBC8C682C8E9E02EC6904633C445B5E8EA16FC871F1646EE684632CFEB0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:58.039{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=721C5776CB82334C50ABCF7FF9F35234,SHA256=D2C134DFEC23FF833B8B9BF14D83143A975D2CAECC90CD6DF46F6DF2EEDD6478,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:36:59.799{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CAA6CFDF6D2B860596221AAA58F2C7,SHA256=C9F8E4B2928A0414B22DD3C5431DC5A9AFC89C6B1B98C27B65547FC88AB95614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:59.680{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39CBE90FF0AF1DB70AC31649464D186E,SHA256=69C5739587A239C9B3AD49F5DC1B7FC365E93F1B4C40AAE6C4226951D90973BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:55.102{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53933-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:59.414{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E6F7D7DB969A8462469AC812F50FC5,SHA256=021AD229267B2547972197C3F55EB9F2F0D7847E274A5887C44AF1D916C29A1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:36:59.055{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=482B59AA06A08FA34425BACE0BC84AB7,SHA256=EEE507E46205B24150A77FE04F7A3AFE779F4A9D0EF275550354FC7DB39E757D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:00.814{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE7899CF17D1201FF2F12328C7303FF,SHA256=D94AFEABBEF66EE593A2C3D02191A74EE86098EEB2C8759388B7E5DC5215A518,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:00.664{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2F15035CC80214BFE6373985DFD1E14,SHA256=AE6DC8FFD824A7012F3EB749E021BC4931070235C3D3CC83B30A71112A233CBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:00.414{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A72AE27ACD71EDB2515B3721063E50,SHA256=6FC2C7D067CB658A6D343F2BC483BFBEBFF843A9DD3EDFC6904E9D6A14C7BAA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:05.168{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58989-false10.0.1.12-8000- 23542300x800000000000000030727316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:00.215{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ECFDECB943F87CF86C02082FEEB318BB,SHA256=D753910523DBDA71DFA3F8074CC03D6B1C6C3DBDBCF07E25B8308A65343F41D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:00.039{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D61043EA7573C8A99FA80881E91FB7BF,SHA256=931542BBBF2EE4B1873111EC2F1289C58A4094541E7BB99D57D26C2C7EAAA7B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:01.847{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D137B0413E0E002C8FC64163F8423072,SHA256=A126E236C7D1B40BF99399501F6A24B3D52988A8B6BA5FDF56FBB7058A803A61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:01.649{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BE366BEF3973587F498E0CD69B48AA1,SHA256=19C327425FFAE8CAF87007C8DBBFAEF04CFC6461CA35F7E5903E16415A5E74F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:01.414{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BCAF0B5B59D869629BA74B03F52265,SHA256=6D21043E206D8127B9004FE2AE3DFD90DD2CA1F638BA8C5F49C092C77E627E94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:01.023{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B678D9165FA2CEF9B80CE346908D75B6,SHA256=4AA3A4CD568F35002DB2A43549D9130A8176DE3383C881B88655473E3A19C7B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:02.884{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8345F4064181F3B667A4FD1E498A98F6,SHA256=811ADFBDB98DED65B85BB08C798919A3CC4ABBB615C66318E627338868A1CFDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:02.633{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E51960536A478FE366D126D3A6B51BF7,SHA256=7975A0791257D16998ED329FC9DB7AA4BA3C012131BFD1FA95009B95091D781C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:02.430{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8535BB82089E44507DBB772482FFBCC,SHA256=D5E57948013E8F2B9BAFA698954FD3D5318E3B79D06F08F3631024F21F21EF63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:02.008{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46085688C414DAEE76315AFB3DAC565,SHA256=AA8EF83E25DA8E473971B7F3481097576707A3F9DCB468AD12A8DC73DC6BA1E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.914{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-667F-6125-C000-01000000C801}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DAFE333BB41F8AE546A8A39CF3C0DB,SHA256=F28F7104D454D6A6F07C063675ABE424C33B5265013782BB77B5069B5E7D60DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.914{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.914{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.914{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.914{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.914{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-667F-6125-C000-01000000C801}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.914{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-667F-6125-C000-01000000C801}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:03.899{B81B27B7-667F-6125-C000-01000000C801}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:03.508{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC1E0A3E34AC789DF4263B4533D72E03,SHA256=6ACC18277D2438E39F4DF02E01827DBBF2B634CAEF1726173DEE44842DB7CA0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:03.445{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA35F3901AA217527C0B577D1D9B0B3,SHA256=91F2FAC5165EB724C5155A0219B0FEC3CDD3077F789840F268076914DB8A2175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:03.258{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE14B6FE7E4E003A685C98AB711057D4,SHA256=346C4D03FBDBC6666714D319C6F17B66E4E9547BFE0F07BDF59D04A131B65D78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1A3041145DE97D0F4847EF91CD5586,SHA256=D8EB38541BBFA27984A0808454C0F1D9D60C9FCEDBC7C11603C62158412F67F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.923{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6DAB0CCAE0B7CBD599FC47285C7D1CA,SHA256=EFACAD53DB5CAAB28BD4743BAEF97FF4EAFB8922F3A56B65ED54915F0F1CD8C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.923{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63AC1D219908C0457ECE12030F0C716F,SHA256=CF1D1043C284D0C90672D41413E1080A8E813B997C668F451A4BEC8931799745,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:04.492{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=233451451FCCBA1798193375CA4CC80F,SHA256=034CE98EFE5E64DE4CC73356033436C95F877C152106222C6DB703044DCDF911,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:04.445{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC8CF68A98924426F02F89F24F1033A,SHA256=DF46B7B0DA07505D0635ACF238BFC856B0981EE81348AF5C44D22697529CF9C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.782{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6680-6125-C100-01000000C801}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.767{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.767{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.767{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.767{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.767{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6680-6125-C100-01000000C801}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.767{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6680-6125-C100-01000000C801}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.599{B81B27B7-6680-6125-C100-01000000C801}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030727330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:04.098{B81B27B7-667F-6125-C000-01000000C801}41925392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047961701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:01.070{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53934-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:04.133{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11BC8348AE0A4F5C7BF4F26C9FA3EFBA,SHA256=E2D9165A0FD6EF46ED8D3D9855C80F72E04F522C16FBF9C8337EAE0D1867B597,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:05.934{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B822A14220EC8D94B6CC62D7E13CACED,SHA256=24A3C64241B5ED1B699ECB9DCDF30AA806B3EC7E2941416A71DBAAE3816C427F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:05.648{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B7AD9BF94585582C0D4B5E11F7DF5BB,SHA256=41433EF6D13BB6F1DE6A2D197328E7C5D770E6BABBE5C0A4956CF41B9D846A2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:05.633{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74619BECF03822BEBD59EDAE34FE01B4,SHA256=CE55674AFCED510C82E4624BD925CFA08BD2247EF50CDB68D6589F978BEC4BD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:05.633{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF9D9573F62AD23CAF8343505E49470,SHA256=775EBA7447E3AAD968C07D9BF9F3BF63EB4E7C3D053A1C97C4C02D7102EA4793,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:11.019{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58990-false10.0.1.12-8000- 354300x800000000000000047961705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:01.930{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53935-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047961704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:01.930{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53935-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000030727345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:06.952{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AF129F4F062CF59B162F2EAE56E825,SHA256=3CC139408F7A6C2012C8C33E0BC80EE8698172F3E60E02901F9985E090B8F054,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:06.805{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C132DB44543DE1735CC290F6A2446D72,SHA256=6667AB22C1FF46B63A58C58F443D7614A167097D6C77824A9D8956B30DF0CF74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:06.649{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC18F070D78354A44E0AB2062F0981BF,SHA256=AFB757A1A1B28F6ACC237A115F14ED84EE0A7087CD3679282E48496F1E10992E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:06.052{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6DAB0CCAE0B7CBD599FC47285C7D1CA,SHA256=EFACAD53DB5CAAB28BD4743BAEF97FF4EAFB8922F3A56B65ED54915F0F1CD8C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:07.945{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=795C7140C44C53AFBB38063B37071437,SHA256=639FDA6129E5A67797AE18B489D1DCEE7D79DAC06C4068181A6CE9970ED9A6F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:07.680{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9F7C075FBF6F8D43C22755C2A5B5D0,SHA256=922FCC64E1F0E0AD2C3A0155E567C30FCAAF62C343F1F8927890E3C8D7BE4C47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:08.711{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC49924917DA01A2EE579C32BA2C3AC6,SHA256=BD195E836C263142DDE172FE0E20DEE737F49455C54E08F8F97A542C2E121DC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:08.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033DCC5AA031B4FEB7415637B015AC60,SHA256=DBB3938A0F4B122079067EBC6ED7EF21668CCF56CAB9E506E5D5B18D979A6398,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:09.712{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D45DBB1802D8CFC6B032104C0521DF,SHA256=BD798E02DBB5802943BAE1717E21EE0FE918CF7D4939CA4DB395A6E760C8E6B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:09.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5432F3189CED70868FE8745F1EB17A,SHA256=865A411523FFF39B9BB9C97A8E1082C02FB2D66DB626D3DBCA72E8439614F5BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:06.070{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53936-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:09.228{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B217996470CE754E4689242CA62990,SHA256=ED2354259120148EC66E78A81151027CC1817736D5B5DB38C844F25C4D5EFF2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:10.740{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1032EC9BBCF06212A461D94D12BA0F,SHA256=0C55AFB7BC6CD3C9149B4D62EDDC9834205380CEF1F1887046B0546C32AFFB18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:10.051{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8F736E99CEF6574A8DB97D87EC59F7,SHA256=6D1D8AAFBDFA93D481681826C724537DDFC78CD85BBC60A4DB773D48E19C3248,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:10.474{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E66F9B7E4E365AAD19158CD49892753C,SHA256=5F60DE76FD5BE202F0C93F63E6047DAC41D5636254427331304FC0585F919DFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:11.962{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EED26F37BAB1E7E23B90DC28B8116FEC,SHA256=120DDB9C3C3885EFD002B22CC85D962D8B0F10EB4DC576F1E05FD1B85119CCB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:11.962{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C631D07B2F854078DD4E9C1776CB558,SHA256=D30E3FE86CB2840775AE9C25204617A95DB8600402A39D40C34E19EA735A7B95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:11.868{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:16.152{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58991-false10.0.1.12-8000- 10341000x800000000000000030727352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:11.383{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:11.383{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:11.383{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:11.068{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC577C97DF539939A21F378E26F0F9CE,SHA256=FB6E83C662336F4D94C1E15CAD203F94552E06BCC490B5A9CFD9E3888DAA3E8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:12.868{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825C52C6F43A7CD267DDDB4D05AC1BB7,SHA256=6C465A287DAFAB9C9929858B2833F9F4CA8899208F238E3325540FE2A6966919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:12.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCD29FDB73BFFECAD7B95ADDA9DE8A4,SHA256=6460EEA5E57DDAF32458BE36D1EC1E7446693032768FBC36C62ACFC180C41DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:13.884{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3684E739A43362B586AC9A4C2C9D8D,SHA256=E81D3DD0632A63E5B8EE934E2BE19B67AE230ECA44D62453057541305F5C5219,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:09.697{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53937-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047961723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:13.103{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13C7FEE7173B71B00471273B79B82AAE,SHA256=9A4700B016706DAE599EA0372B019F938E20DD852C0698F8416269849F0DA26E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.996{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.996{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.996{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.996{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.996{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6689-6125-C500-01000000C801}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.996{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6689-6125-C500-01000000C801}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.981{B81B27B7-6689-6125-C500-01000000C801}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.750{B81B27B7-6689-6125-C400-01000000C801}6160ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=C1B0D636F666562A75C7F801A3A1ED82,SHA256=CC208EE9BE4F02D39ED37C3F48E187E42DF223A5200DCC3C0B3B26C731C470DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.646{B81B27B7-4013-611D-1600-00000000C801}11961512C:\Windows\system32\svchost.exe{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.646{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.597{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.597{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000030727384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-08-24 21:37:13.581{B81B27B7-6689-6125-C400-01000000C801}6160\PSHost.132743146334534764.6160.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000030727383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.565{B81B27B7-6689-6125-C400-01000000C801}6160ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_r0fvpopj.n3a.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.550{B81B27B7-6689-6125-C400-01000000C801}6160ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ercjdccj.psp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000030727381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.512{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ercjdccj.psp.ps12021-08-24 21:37:13.512 10341000x800000000000000030727380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.481{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.450{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.450{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.450{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.450{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.450{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.450{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.450{B81B27B7-6689-6125-C300-01000000C801}70966552C:\Windows\system32\cmd.exe{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.453{B81B27B7-6689-6125-C400-01000000C801}6160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-LocalUserC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-6689-6125-C300-01000000C801}7096C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-LocalUser 10341000x800000000000000030727371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.449{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-6689-6125-C300-01000000C801}7096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.447{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.447{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.446{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.446{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.446{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-6689-6125-C300-01000000C801}7096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.446{B81B27B7-6638-6125-B000-01000000C801}12085068C:\Windows\system32\cmd.exe{B81B27B7-6689-6125-C300-01000000C801}7096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.446{B81B27B7-6689-6125-C300-01000000C801}7096C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-LocalUserC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x800000000000000030727363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.350{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6689-6125-C200-01000000C801}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.350{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.350{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.350{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.350{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.350{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6689-6125-C200-01000000C801}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.350{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6689-6125-C200-01000000C801}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.345{B81B27B7-6689-6125-C200-01000000C801}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.129{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907909F724D1773F5EC901FA5E468DFE,SHA256=FC1CBAE7C715594884161E40CDCF34F2755D18E29206D599A981A491873FFD84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:14.900{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AECC5524C18191561D4F80437AD010,SHA256=2FE731B37CA7EC05C4485416D724A8B6BCCCDC928063F75713339911527334EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:14.511{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6104B890A78AD0AA4E83E9E605BCE401,SHA256=C6B0C480A864FC40B8FA8144789AB3504FBF618B5D2F4C018453995BADBB8A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:14.180{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FB490706674127D714A21883CBC8E0,SHA256=369B61E5A460A6DEC8C989D0A96D99C092563730F98A52A5673B6B11FE53EA5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:14.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37999BA2B9B24AA47CFA1221647753F3,SHA256=F79DCEE70FCFF8F3008404AFF61292BEB24F032675685C05770522221CCF30EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:14.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46BDC2ADD1295082B583F85937A85DB2,SHA256=AAFDB3EC4EAA227455E69F1801B806E68E2E75CA168912A3BCAA8227C88E775F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:14.149{B81B27B7-6689-6125-C500-01000000C801}62764180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047961726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:14.243{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15A30DFACC170DF45AA587E4BDA8BBE9,SHA256=ADB1F86CB3F0BF213E389B19D3A4634F6DD594327EEECC9D071B137CE31D7A15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:13.996{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6689-6125-C500-01000000C801}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047961730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:15.946{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C936BDF8D1F2479369976FA8A62259,SHA256=B1860981B09A64E7C6AD75025409E38721DD5CD3FB94F3B8320D2B7F404C57F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:21.183{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58992-false10.0.1.12-8000- 23542300x800000000000000030727404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:15.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B445316FD8ED62D5E5695644DEE391C,SHA256=1B9E0348A8F3A8E24A0DFCD5A6CA441CB75B6E59EFADD07344B85FF4C0226399,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:15.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37999BA2B9B24AA47CFA1221647753F3,SHA256=F79DCEE70FCFF8F3008404AFF61292BEB24F032675685C05770522221CCF30EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:11.978{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53938-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:15.165{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A198ADA9D887D7B262196B6413F8269A,SHA256=E1F5E4103AA7D0EC91114B0CC36FEF8043E34CF5E37FEC392CF72CB07BDC58E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:16.994{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AC33FDFA150D8700DB1C60973CB82F,SHA256=74953C9B88A79E93E4911FF49E0003AE96B9E41CAA5902EF427C663D8859FCC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:16.211{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8919AA1DF2F338B301701101E3FD1F,SHA256=7DEDB827BA96888501EE7604137B21A75998DFA5E67F396E2ACD452369D2C32B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:16.400{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7A5DD803ABF3D6420658A4706406301,SHA256=DD1EFF0AFCA0F5A09BF43E1ACC45C3E23FD1EA5841D41E0B9D9F31D493BB497B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.710{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:17.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173F7A127369538E80203E717D583537,SHA256=3EA4B3D18C9CE46EA9B72DDCC89F9734CF1E849E2F29F6622E881270503173E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:17.869{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59CEEB5ED674DADA58227D364D3B9FF4,SHA256=2487E4A4F049F2050C2D7CE3BC46E3E87FE9FF437DFD3410D647053C3E54CF3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:18.385{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415F280644B6544DE466BBC928B1910A,SHA256=EEF77B2B837072986E2246FC05C36B615D5CA0A4FD0F3800CF869054D259F944,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:18.263{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F64947B0A0ABB9D67CC1E9306CD2722,SHA256=53CB51EF64EF4F835BEE46358F38F08C2B6F784529CA05B99951A800E9339133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:19.525{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F155C6414906DEC32E4F0FC37DE6B0CC,SHA256=F9B45007EFBAF60315E48E27E057216F9CCA84D3BAC02AAE1CBC10F387EA658E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:19.400{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B72D5F0C1C4272F59547188ACE41402,SHA256=91B5CFE624B083E3BD85E51617836CCDE5228CF745CC6F860E76A2B9FEA69CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:19.462{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:19.309{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A27FE9148ACD8736C1600C04F35BA49,SHA256=CF496283162AA44C1756F038F695E1CA0A54C6B0837F5CCB246CB840AB00FEDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:17.104{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53939-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:20.572{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0A7D4BF9CFB0F322865690810409518,SHA256=3D87C1BF70FE5A4EFED19655E625F77AC1BC0211F7AE2CB783D4AE7049A4D39C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:20.510{3BF36828-401B-611D-1200-00000000CA01}760NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8A59C461C1ABAE188989780F4183DE72,SHA256=359CC5161D358041A17A511F75620BD7F40D48C5E547A8C794C7D46E1325E3FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:20.400{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D3D9E9B73A9B3BCAE323421432CBA0,SHA256=E654B2BD947AAEE56366087C3299BAF79EAAD4D6839F5D588BC782B87EDF0924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.877{B81B27B7-6690-6125-C700-01000000C801}27566848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030727448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:26.376{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58993-false10.0.1.12-8089- 10341000x800000000000000030727447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.724{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6690-6125-C700-01000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.724{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.724{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.724{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.708{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.708{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-6690-6125-C700-01000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.708{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6690-6125-C700-01000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.709{B81B27B7-6690-6125-C700-01000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1B27C52524A207B678887ED03E8832,SHA256=F38F0C51966257B7D92E72763AB60FFFF1F38808C3FB31D479F26F24AD66363F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.225{B81B27B7-6690-6125-C600-01000000C801}59404464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.045{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6690-6125-C600-01000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.045{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.045{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.045{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.045{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.045{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6690-6125-C600-01000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.045{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6690-6125-C600-01000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:20.024{B81B27B7-6690-6125-C600-01000000C801}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:21.697{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D243B713FD18D58EADD5254D334D41,SHA256=E47209D9BEB993539302DBBE46FEE736B15825720C5B54C8992B72ACDE8C70C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:21.432{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8828BD80F1E5149D5AAE0C64013ABF1E,SHA256=D08544973F353F47DD8BF868BB2D66E70A1748CE9964663C3683E651BEF59222,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:21.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202544BEA1FF2DD0821FDA3CD629A75B,SHA256=341441FFF088FF61A776752087ED296F1B758A42C03A90C6AF16B192E36F6522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:21.043{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AD78A4FA86396F89B2E08BE4CFEB08E,SHA256=25682A2882D1B0B21AE14884B6B0C9AFC16B298BD72954DFB1EDEF1B6A4F9608,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:21.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=528CC40F56C89855AC7617E5AB838ECC,SHA256=8262CC4FDEF6B11ACE5C5B14C41D89969C11A316D6D5407315EAD68B60D9C0B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.975{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.975{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.975{B81B27B7-4013-611D-1600-00000000C801}11966072C:\Windows\system32\svchost.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.960{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.944{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.944{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.922{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.922{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.922{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.822{B81B27B7-4013-611D-1600-00000000C801}11961512C:\Windows\system32\svchost.exe{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.822{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030727477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:27.114{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58994-false10.0.1.12-8000- 10341000x800000000000000030727476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.775{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.775{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000030727474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-08-24 21:37:22.759{B81B27B7-6692-6125-C900-01000000C801}5308\PSHost.132743146426630327.5308.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000030727473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.744{B81B27B7-6692-6125-C900-01000000C801}5308ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_2qwwt05j.vui.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.744{B81B27B7-6692-6125-C900-01000000C801}5308ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ddu0lqad.vy1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000030727471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.722{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ddu0lqad.vy1.ps12021-08-24 21:37:22.722 10341000x800000000000000030727470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.706{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.660{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.660{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.660{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.660{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.660{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.660{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.660{B81B27B7-6692-6125-C800-01000000C801}12882388C:\Windows\system32\cmd.exe{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.663{B81B27B7-6692-6125-C900-01000000C801}5308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-WmiObject Win32_UserAccountC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-6692-6125-C800-01000000C801}1288C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-WmiObject Win32_UserAccount 10341000x800000000000000030727461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.644{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-6692-6125-C800-01000000C801}1288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.644{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.644{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.644{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.644{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.644{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-6692-6125-C800-01000000C801}1288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.644{B81B27B7-6638-6125-B000-01000000C801}12085068C:\Windows\system32\cmd.exe{B81B27B7-6692-6125-C800-01000000C801}1288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.655{B81B27B7-6692-6125-C800-01000000C801}1288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-WmiObject Win32_UserAccountC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000030727453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:22.391{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900124B41252E6F0402B306C97CB0FE8,SHA256=D6702A62670E2E38E76E22D2C86651A75DE20613C448308382E8A23D9682D4B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:22.838{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A0E963DC31A5FCF76A13C8D918C690D,SHA256=F502DDC7823C245DB64A6DF9059B2C59BE750C45F15D642E238474EBCFAF501A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:22.447{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9A5BF5554328B5D5D85436A3E91ABF,SHA256=032DB2317DD0D44EA948D6AF61128F7F8645EDFC1E96C23986858D26D3243DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=236944EC3A75427CEC6002B34CB87F9E,SHA256=5B28389798F5ECB35AE6EAFC58002CC03A02B8725D5EDBB65D1C294F9B0F30F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AD78A4FA86396F89B2E08BE4CFEB08E,SHA256=25682A2882D1B0B21AE14884B6B0C9AFC16B298BD72954DFB1EDEF1B6A4F9608,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4119980C04C8FF33AD01CB46CFACD3C1,SHA256=53509C42C43AFF682F51D506FA4D25CD345437DF4FBF2A5E439AD19160B89398,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:23.479{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CCCB1A3126E7D0A134547962049B04,SHA256=523EE863F4C670D93FD37893607CB2D3CD2022EF98B6329564880A683A88D3E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.022{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-6693-6125-CB00-01000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.022{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.022{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.022{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.022{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.022{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-6693-6125-CB00-01000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.022{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6693-6125-CB00-01000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:23.008{B81B27B7-6693-6125-CB00-01000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:24.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE2B1D6BA7793178449D9011798D508,SHA256=DBDB65AD99BC6D470C2D82870B1D6A2C9692CA132B27978F2707677ECF5E1BD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:20.844{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15WIN-HOST-98759830- 354300x800000000000000047961748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:20.843{3BF36828-402C-611D-3200-00000000CA01}2372C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98759829- 23542300x800000000000000047961747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:24.494{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FC0836BF9B6373280E629AFF06F428,SHA256=AE5969C2C91EF2B57A4B4F1F4AAA68527A597C437AAAC16AF6DBBF6CDAE46171,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:24.182{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7900B73E60961871A68A66F91FE4B46,SHA256=A317CF5EF79EBF138E3D4579E33B66A5BA65E6EE9CECE7436AD756DBC0D45E50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:25.494{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF53859556243EEB41750FD3CF79957,SHA256=2EB0D8ED72CF630BA4CF5FAAAE985D61317EABCDFF935B36BB7F663B1A1CE42E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:25.689{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3922E5CE38F7919F20C7F5466FB9481,SHA256=177D06FE1E649680B66AD843AF18ED6F9474397A2B6AA252E4CE02DFC7FBCDBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:25.520{B81B27B7-6692-6125-C900-01000000C801}5308ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=420D1AA688449B1CC29CCE52873DB257,SHA256=99922A0A07B9A2D752AD8836D5EA7D81EA674ACB1169089E3FC88A2FC204593C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:25.473{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+56c8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:25.473{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+56c8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:25.473{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-6692-6125-CA00-01000000C801}7088C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+56c8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047961750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:25.197{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D8F0537D7A74BC81C8154FD710098B,SHA256=A10C3106365C74B7FF6F091AA620B32B2683A6ED2EC98B93F3394786AD4515AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:22.885{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53940-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:26.713{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76F91E12C55C60F2EC2DD9CC00716535,SHA256=DD8BF399D7AA65A76F3CFBB8EE7E81D94566594F818E51B1FF70802F6AFC5B07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:26.525{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B51BA01C9986DBEE15A0D24FC9102C,SHA256=734F6162F5C2A7CD38573DEDFD22486230871293C0EE88107AA5130EB9E65885,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:26.719{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7FAADF4CCDFA2067150BE69DC6CFF2,SHA256=436AF641D3C94E24DA2A87885B4103F02F8EDD9F80E10AD12454570DEB1F51A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:26.537{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E89DD562BD695852FB9546FAC6D147C,SHA256=2E2F043400416200E5C9A78BACC0E48554EA254901D94C5963683B68D80F8227,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:26.488{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71C99B2E72472817059F3A329F7EA732,SHA256=48DD80191601FE703F9D29ED3B6026644759863C93369D10ABE1F3D28EBF760A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:26.356{B81B27B7-4012-611D-0D00-00000000C801}7926896C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+ec16|c:\windows\system32\rpcss.dll+10ee2|c:\windows\system32\rpcss.dll+6a4c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:27.735{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E677C8C572FFF26BF6069CE97E42FEA,SHA256=610E65417C6CB94AADB4262362C7DDF87DCC5418389C6781B7BF9DF13FDBB4F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:27.838{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21EFBADF3788AACDDEEE4C78FDAE2A9E,SHA256=0D29EFD2604EE7F9F29C4D78E068B5EDF1F8823CF3F088456458F9BAA0FBFDE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:27.557{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB7096B83C6D8F870DDE0E24F505546,SHA256=5566AFB86926A9566F0A2887E2C4BEAA48A7B9326138B1B781A68A64AE651F84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:28.738{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56DFFA87635900FC796A62974835807,SHA256=9C5DE7596BF6B4F7D9D48075AEC53BDBF40A56087AE3691D1DF90BCA3F728C67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:28.572{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28DF0A6B97F64EDD9BD1867CEEAE4FC,SHA256=E2A60850E3D77F32CDB64171312D779521EE206150B5393509FAEDF9BCE3E10D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:32.993{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58995-false10.0.1.12-8000- 23542300x800000000000000030727513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:29.800{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADA0EBCD077BC93564B2FAEBCF7C095,SHA256=E306889175A3AF37DFA385D720838F96DB39FDAA981A9C109D878914225BF8E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:29.588{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DFE91D76DBC040A5F40840D2950194,SHA256=EA2315F475DAEC8A5D8A6703E0BC76DABE8A3970884AC92ACA69FC4FBC4158A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:29.057{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9280FAAABD22C8E7CBCDAAE00B1E913,SHA256=E532CAF5D4F16C8DDE6D54D6DE37E76CE89C227E835BCC7D9D8CD3B82E5B25DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:30.832{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EAC5A808D88DAA34D25C85A627DFCD,SHA256=B3625B8A8AEEDF39D4BDB13E7B411303AA7B4BCC3CF1411A122EA3D582D51BE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:30.619{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0E224860F3B327AC8994CE4B01264D,SHA256=6B91E1DAA21DA40A72C2157B33CE42F40A67DA9C3B47348C8F7C1EB2B1D5E2BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:30.275{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D0EF9C12327F0847A3B7F389320AB20,SHA256=F57E25120A37F9455694299249B1C779523C0D19135E9FFD20695DBE8A25E228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:31.851{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF5BCD419D26BA90234F5A072E05AAA,SHA256=5182413DB2606FC6B893CE04F55D56B1C5A0838697E949BB2AFA0ED98390D4E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:31.619{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E40766D4163538B7769010489A5EBA3,SHA256=C40C3E93FA1C56CFCCF2718459FEB6EBB7D5A6B33B0E7BABD8546159B5FA113B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:31.291{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F44B807D4FFDED1B8072B09BDBD59E8,SHA256=6ECD0E10B8B79EBAD4A4E8F4FF3825BFAEFCA388048DE2D5884E53369CED6453,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:32.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199DC3DB088FFBC88F4D615F110AAC02,SHA256=8EDE2B05E69034C2357294FBA1643061E9A18B222BC08A21516968895F6ED020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:32.650{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9683A78B6A6E750D094D334918D8F7F7,SHA256=74AD9923F70A8206FD2D8B908D9D9364BC2C6F44885D8DF5E8A0A458A379076D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:38.035{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58996-false10.0.1.12-8000- 23542300x800000000000000030727520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:32.151{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=BFC9E9B95A11311D2AFBF78802212B46,SHA256=6C988665DD12C7CF6213555EC6A30BC924B7F729CDD7DFFC0816D467CCE70996,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:32.151{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=090A9E665293CA6B5767892DC6388221,SHA256=FF51BC3FD78F3A8694E8520C04E0F82463ED095CAD08B9F15F20076AABFED7C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:32.151{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=847C712B64BFCEE6A8006D1E4FAFEE96,SHA256=F9D73A7B3B8848FABF149DE3A7937DDDBDDBFB1F59B5EF6337C8C6EE175EBF62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:32.151{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=12AAF95E60535C7DE7008304EEE17A58,SHA256=E6AC90FDA038015EC14F28628319FC8D2445FC7CB00AFDFD2DDF5CD76F76802A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:32.151{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=47B34415CFB58B06B9D02F1D9E5C9DEA,SHA256=F1D4D0E9A767B42F24EA1029357A758681EBDADFAF7B6D7E974B86249D632ECD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:32.385{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C361B68DE2E2017A20A740FBDE7A7A,SHA256=9DC781BF94CA2D64A8876CDD8FEE13F0318D13736660389EFFE6D7BF1E6712C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:28.103{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53941-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030727523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:33.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBDA8E39E33F4326249C5D37719B80B,SHA256=0DC49C05858E1B67B8C2B8B84821FF9DAD41B8741A40E09C5DFD04AFFB47D0D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:33.838{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1AF65A1172AC0837099B405B3764F81,SHA256=4D32A5F945219104EC742AEAE3225920645CB30A01318CB37B93F05AE3D8F655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:33.666{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B0AC1F725D29DF73D2AFF9402D9AF9,SHA256=D439CCC01683EF0ED0FE8E450DF13E9A52746B6F92D4017814264DDB233A4313,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:34.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BA98F540F438BD2319C26FD7C7E1CE,SHA256=D2B515D648D0101B861716CC57289EB02875BECD54EBF67F8C077D855CE67847,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:34.979{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F9DF536A25A758FD3631D26F45A5A7,SHA256=B576A647E0C30E544A7C5FDF3CC8884885B64949E36BEC93A9D9D6D1591985E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:34.682{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446ECAEB6CCC3002AF57A12B8417D13C,SHA256=CF668E04149DB76DB87F54CB32A32912011B87AD5D55170448DB628E1C5BD581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:35.926{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7451152DF27BD18CCF23D50F4C4496FB,SHA256=03C9C26288530337E306EF519B390C8D78B7678D12EE2D8B13240E30C7C4ED2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:35.697{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786C7E4B17ABE2CBAA6C9F79415EC77A,SHA256=6AA3F1C0E9EE945388E52AAAA9C7FECD5AE31BD68C50208B11ED4A980AC673DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:36.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFCC77A6B5A54A509CBBAA30EBEC840,SHA256=91F8F0902DEC96ADDF6BD02EC0730C716DA6DA6A8E4761E25F1BD66E9AFFE2A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:36.700{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D225BA5495DE7FF358B5306EF47752DF,SHA256=B8AE740D35F6BBD5CEB3FDCD49804AC49276116A743D0858038C5883761CA88D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:36.169{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E33AE1E51B98DD8D16E62BB3A5A47BD,SHA256=0FBF091C25FA568BD2DB43A98A1B3BC76044502829C5577AD9E25FFAC1677105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:37.976{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C68C8EFE44A4E13F4BF133087917063,SHA256=C5C1FA1A3C9E33177DCA3E404E3612929FBF0AA06BD4BF71D7FBB99517999557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:37.731{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E785436018B41E03517E5E3D603D4F36,SHA256=35C76F54BB48FBEE2961767DC8B3A683B07602B0DDBD5A4F8B6A5EBBE53414E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:43.116{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58997-false10.0.1.12-8000- 23542300x800000000000000047961775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:37.372{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4F678C8A3188BBC3C71978153AAA604,SHA256=70C4D2472E5FB0E163B770F4AB456F8E57893C32F396DB8866126E11E4BCF2D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:33.872{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53942-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000030727534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:38.991{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A696307E66CC84708F7318B5AB0288E8,SHA256=60C9A7BDF5B6C8A8D9FA21CE8CBC46FFB1F15F9D0AFD65CBAE2A1AA2DA9AE9CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:38.872{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56469EB943ABC995E5735145E4FABDEA,SHA256=4BFD8B7C3EB44BBDB2ADC318968CDF494E63690C3ADFAFE031F12A28FABD749A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:38.747{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB974C6215F85AE6C2DEBE5A0A8C5F9A,SHA256=6811DDC3A564F59FAD78EAB062B49577F2F9B60FAAB42FBC12EB6BA7A1FF6FF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:38.775{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=E97875A45538FF6B8031B88EC29E30B2,SHA256=4094AF63CC527ADC9A8E8FE6DE2BBBFF68D23E8F87DD66BF5941B93040D049AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:38.775{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=E009E1CFEDAF5202F951625937078BFD,SHA256=2355F22016608BDFF028914B31F738BCDD0EFC89193CABC3ADD25273471CE2E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:38.775{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=DFEC273E31BE63538BFD4818D2390DCF,SHA256=795300B1B76288C3F13FD043BD146093010A25D3D2D8FF974598FF0903DC0626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:38.775{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=BB476E96B6CDAC40ABDF3F2AB95BE41C,SHA256=843BE6C1B0B0CCA95FD509623E7ECB6C13CECDC942A6B01E81356588298E78EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:38.775{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=DEE9280C6F7224067C9FAB1F293663CC,SHA256=E7B733DBBB811F59108652A25CEC79D22E0A9DB26B06D56DF0356B902A726311,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:39.809{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFEFD71CFEA8C3938FFA302F1F88218F,SHA256=5783A2A6F7E2F1BAD070A2FF3656B2B55C84FBAEAB9259CCAA3472CDC285F5FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:40.841{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5B323D03F3A4AECF376CC48A131C85,SHA256=7B8BDDDECFE10B6797512114DBA4EB04D46B1B35A04B4405A3179AD936556678,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:40.005{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F2C58F1E0BAEF660D57B610597BC68,SHA256=D67F099CC741142FBB4573F0EE20EBB1FF68B463F02829DDDB5AD0144EB0EDA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:40.012{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41FBDE46C9C715BD6795CC4AAD60424A,SHA256=3E0A6064CCC4AED9BC0EFC024FC0B4DEE4B7F724397732A96A4DF57746B627E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:41.841{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588F8110853253D9C1EF4787640604ED,SHA256=8793E4208799EF38826C5BB55DC0D57A5F32CED867B41B39A49C93989172E094,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:41.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AC7253B8988EAFEB3F5D7036EE961B,SHA256=42B629146D329A716680F807C485D4B14FE4148CD85327B0732C264D865D8AB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:41.216{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82D5160964F879B09F8771F852EA0AB0,SHA256=17DFE18CB4D2104E0F9A84B6B476A6471E38B8441F4FEAC5F6827F95DBA4191F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:42.856{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17878FD5508F5C519A2C75578C63504,SHA256=41947AD754E30E33273D5CFFF52FE59D48A9BBFE4E34D651E9E91F22020C6632,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:42.041{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CDBDA1F9FE56CD3446D12C57BA24FB,SHA256=C42A732262FABE74EDD6208210BF3BC2BDF9B4CEAC0E9568F0497E7205B6DA73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047961785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:39.063{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53943-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047961784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:42.278{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E0C2AEC173450580578A0195156F735,SHA256=8CD38A2E147C9C81FF33684787C3EF1B7D10C9C71C766DBEFD41DFFB3FBD6F64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.903{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.903{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.903{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.903{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047961865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047961861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047961858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.887{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.873{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.872{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B66B6C6BE6D541A2F40D5E66D872F9,SHA256=E435107436E045646067F482C47B329AE3DCB2203FB45D19278D29C141979566,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:49.141{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58998-false10.0.1.12-8000- 23542300x800000000000000030727538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:43.043{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F086742DA5591552A817DA23111866,SHA256=EF899F2D2AC958DB7604D156393384006FF3F8ECB501257FF9C89CF4075E4450,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.592{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9D04EC7844606A7497E70BF6014ED26,SHA256=8F9ECC190226A744613BF0F1DB4667F982279DDAB3ECE8D62A66286E1F4AA513,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.512{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047961845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.512{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.512{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047961843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.512{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864E3CF697A36D96263CD1C4EB2BCF4C,SHA256=CFC714A4F92BB4F604F40E386E69C04D6E940013C0067449E61229AA5DFB5195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.309{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.309{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.309{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.309{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.309{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.309{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.309{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.309{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000047961813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047961806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.294{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x800000000000000047961801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.278{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.263{3BF36828-66A7-6125-A7F4-00000000CA01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047961789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.028{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.028{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:43.028{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-401B-611D-1600-00000000CA01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030727540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:44.091{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F7660A9C9347873EF620253620B164,SHA256=A65B159751D561C3CDF52A78D27079272A4267AD42F65162D54911E06E4F640A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047961960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.731{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047961959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.731{3BF36828-66A8-6125-A9F4-00000000CA01}59526108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.731{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.731{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047961956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.591{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047961955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.591{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047961954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.591{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047961953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.591{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047961952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.591{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047961951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.591{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047961950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.591{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047961949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.591{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047961948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047961947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047961946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047961945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047961939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047961937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047961936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047961933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x800000000000000047961921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047961917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x800000000000000047961914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.575{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.560{3BF36828-66A8-6125-A9F4-00000000CA01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000047961904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.044{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047961903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.044{3BF36828-66A7-6125-A8F4-00000000CA01}57683912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.044{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047961901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.044{3BF36828-66A7-6125-A8F4-00000000CA01}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000030727541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:45.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAB324AEA2593762512687135B25B10,SHA256=E7C0D2BF2E1EDE5985A5F8702F5D404573502DA953C65D5F601C83DD64024FA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047962089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.981{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047962088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.981{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047962087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.981{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047962086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.919{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FD1818DA2790EC80DB4505EAFAF7A96,SHA256=DF683C91A4C6CF3202DFD20400EAB0653A59FB8FC9A58245576E41B5ED3EDEC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.856{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E426E12FD9F2A9A9EE0C1061E4B0519,SHA256=41936044B0A1FBF053074B0914B362B36B70502EADD67DFA889BD284C287E634,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047962084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.825{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047962083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.825{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047962082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.825{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047962081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.825{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047962080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.825{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047962079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.825{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047962078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.825{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047962077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.825{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047962076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000047962075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047962074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047962073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047962072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047962071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047962070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047962069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047962068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047962067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047962066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047962065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047962064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047962063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047962062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047962061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047962060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047962059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047962058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047962057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047962056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047962055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000047962054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047962053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000047962052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047962051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000047962050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000047962049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047962048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047962047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047962046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x800000000000000047962045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CAD9CA1B7589475C4DAC2158D886FB4,SHA256=4ED9DB47793CA9E3B57C415790FF8CB0716B560F7C369A6B0FE46EC05668FE62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047962044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000047962043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047962042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047962041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047962040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047962039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047962038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x800000000000000047962037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047962028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.809{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047962027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.794{3BF36828-66A9-6125-ABF4-00000000CA01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047962026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.591{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4511C6F09011803C775619D2610B4543,SHA256=9E50B70149CBBED7C2B744EC909B6272E9A2213B8D0F34E0BF383B46E1FEADF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.528{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84DF7A4F009DA5A09EAD95B355380877,SHA256=C5092FE19ABC7A964B062A593E242F0EFC5A6D2121AB545B52CC2998867C4139,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.466{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E16778184389242CB825FB515969BA,SHA256=0BD3FA5115C51EDFD1327524CFEBCC6BB5B2578B5A5F628709A8384B56068438,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.403{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85DB7CBAA802AC71084595257A5B9BE,SHA256=647B842087F5E96A354111B8B223164B3CD12FA95393758597DF746E7D05376F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.403{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB7194C4F74C5DD38E610ADBE27173A,SHA256=6E4AE563BFF867B4CE1DFC5C34F6136425B16A9E01B95E9D3AF4C8E73FBFE5EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047962021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.309{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047962020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.309{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047962019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.309{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000047962018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.278{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A25561584323F8A47439D9BDF02DFB1C,SHA256=3F022ADEB7E8BE426C359B7B553925848C6A9BBE3ECED1839B2D8E6388A9D24B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.216{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68B63DAAE15B122832521CC1245BB90B,SHA256=EAB02CAA831A800DC83F853D0A5245D98CD11EB21B2EC7C3BAB749CDF1B9098C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047962016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.153{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047962015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.153{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 23542300x800000000000000047962014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.153{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D2733F0D0ADE4897FEB968C997C03B,SHA256=BB6C3916B0BE0DB2C3329F417CD79F71F113E77DCF6170B52A31B0E4E6DB796A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047962013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.153{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047962012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.153{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047962011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047962010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047962009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047962008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047962007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047962006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047962005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047962004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047962003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047962002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x800000000000000047962001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047962000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047961999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047961998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047961997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047961996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047961995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047961994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047961993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047961992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047961991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047961990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047961989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047961988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047961987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047961986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047961985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047961984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047961983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047961982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047961981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047961979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.138{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047961978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047961977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047961976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047961975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x800000000000000047961974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047961965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-4019-611D-0500-00000000CA01}408528C:\Windows\system32\csrss.exe{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.122{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.113{3BF36828-66A9-6125-AAF4-00000000CA01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047961962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.106{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50028FCB24F66DFC5355758D40C7F61D,SHA256=E0AEDD02FDCA94FCEAFBF83AB06B9ED3E517B7F8F72BF7384AE7B06D738637C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047961961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:45.106{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EE11A66ACF0D46E2EEE3322F3FC405,SHA256=3EB64C221EBA90FFAAC23B3AC211663A28395C2AF58D93B20FB1A07BC64C31F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047962148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.638{3BF36828-66AA-6125-ACF4-00000000CA01}59205132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047962147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.638{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047962146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.638{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047962145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047962144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047962143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047962142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047962141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047962140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047962139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047962138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047962137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.512{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000047962136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047962135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047962134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047962133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047962132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047962131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047962130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047962129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047962128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047962127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047962126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047962125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047962124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047962123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047962122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047962121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047962120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047962119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047962118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047962117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047962116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047962115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047962114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047962113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047962112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047962111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047962110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000047962109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047962108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047962107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000047962106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047962105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000047962104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047962103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x800000000000000047962102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.497{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.481{3BF36828-4019-611D-0500-00000000CA01}408424C:\Windows\system32\csrss.exe{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047962094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.481{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047962093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.482{3BF36828-66AA-6125-ACF4-00000000CA01}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047962092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.216{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6F34F5EC2BFC57B2BD5835652F2608,SHA256=F2A94693C6B0B53CBD1B3A9ECD32CE028C1271E8B4EB2A9416C9B149C9F7D5F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:46.122{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1BB6BE22CB6282933B39A7352306DA,SHA256=83C0B13C0DE0CBB2197BD620BBD6DC1EB8AF44507645DA0E82AC33EA22A78DB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.137{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BE9F9DDDCF01B8C48FD31E3D9DB385A,SHA256=BB06E202AF7ABEB81B92AEB077E45B6BFE3FF78D2B191B3808B91186876A247B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:46.075{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1182D1DF0F12FA74222E400B5334C9FA,SHA256=E1EA61B80F0603AA74897E6090DC978649B096F4C678CC977D10D1A0FC8C3325,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.466{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C498EF79624BA7969887A026B9FE19,SHA256=5FF98B1E0EA37A5A1F26BCAEEDA28C3F64027FA486B005D6EB3FEF79623650C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.372{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=590B9BE0017F1F68EC1643120D90E33D,SHA256=8F1BD08405DB0A663E52B6F9F6F3CBCF947D179518F4D5D6B320AFFECB2719DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.372{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C3870C345C47359CBF0ABFE3817D1E,SHA256=968B20DF6E2FBE84BB58035D97186F247DE14C7391AEFC5EB1053CA3A753FD69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000047962205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.356{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000047962204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.356{3BF36828-66AB-6125-ADF4-00000000CA01}46601676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047962203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.356{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000047962202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.356{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000047962201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000047962200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000047962199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000047962198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x800000000000000047962197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000047962196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x800000000000000047962195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000047962194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x800000000000000047962193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000047962192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000047962191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000047962190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000047962189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.200{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000047962188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000047962187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000047962186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000047962185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047962184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000047962183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000047962182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000047962181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000047962180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000047962179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x800000000000000047962178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000047962177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x800000000000000047962176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000047962175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000047962174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000047962173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000047962172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000047962171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x800000000000000047962170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000047962169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000047962168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000047962167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x800000000000000047962166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 10341000x800000000000000047962165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-402D-611D-3A00-00000000CA01}36083628C:\Windows\system32\conhost.exe{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000047962164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000047962163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000047962162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000047962161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x800000000000000047962160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-401B-611D-0C00-00000000CA01}8362216C:\Windows\system32\svchost.exe{3BF36828-402C-611D-2B00-00000000CA01}3012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-4019-611D-0500-00000000CA01}408356C:\Windows\system32\csrss.exe{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047962150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.184{3BF36828-402C-611D-3000-00000000CA01}22204860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047962149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:47.170{3BF36828-66AB-6125-ADF4-00000000CA01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4019-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:47.141{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D34CF651F797B7587EDC035E8D2DD7,SHA256=F15E36674ACDA8E7923E8E15179805027EB950727974878129770F1206713FC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:44.887{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53944-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047962210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:48.356{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EB198F46E36EF31C89ABE2EBA9079F,SHA256=81A0CF55C35187AF56A7FE77EB230D40853924E11B11BA1ABD16F66DF8248A9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:48.200{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359194030205D3BEC1630EE0B4AE323A,SHA256=E7362A00B6CF5A69AABA37DFA7A7D0EAD7816DF2A255BB2A2890F0CEC1406E9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:48.255{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000030727548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:48.255{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000030727547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:48.255{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x800000000000000030727546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:48.255{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x800000000000000030727545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:48.255{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1fd6f42a.TMPMD5=FDACD09E7FE08492170097C722F2EA34,SHA256=A0DEE074A7489CA35C538020D9C8D37166A2377E8B1035AA41C598789EDE1978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:48.171{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C531910A8A085B9A72E7E89DB7319D95,SHA256=DCD7F3E9EDF96D4CE9A0A18209FFF79DC7A0212EAC9E6616381858DE301080C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:49.372{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE746E504A95521B5FF8ECD7189B904,SHA256=2A0BE59190D0A9B08326DD1A2A1005C2B8AEDAD2C6C2AFF8CAC20A809AA78342,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:54.992{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local58999-false10.0.1.12-8000- 23542300x800000000000000030727550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:49.185{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E62C8F1C15ACAB6DFE25728F174716,SHA256=196A876DEA75315C3FC6CE45EEAAF81D00BBD558608CA559B24BFD8754EB65A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:50.387{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234A49A3CBCF21DF3124D38830EF7366,SHA256=8C6DBE7C657D4A76F3A0B6B9F24397DE1091A183AE7C1B7313E36139D6559990,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:50.217{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8320F50D5BF731ECB5FE3CD73ABDE277,SHA256=F4539D2112E39F5E3738A2BFE53345B483418B488E69CF0351B395C2330ED39E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:51.403{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D5AC24AB184C0A0BB08814D34239BE,SHA256=841B88B5B0860DE1DE8B2934612DE6DDB8BBD3E4C0BFFB8BB33EF834F1B3B6E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:51.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65DD43179DB7131F3F5D2C2D60F78C7,SHA256=106827BC5ACB8E188A9ABEC5A7784D543DBF80621569C66EEF4BDBA128BF8A1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:52.403{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07724597B46B26FB0BECB116E9899D37,SHA256=2EC77964CF7AADDB263104AD3C20DB77864C2C358E931D0BB2F4F22244BBFE55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:52.012{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED6D30580159F734A2A35787B40BB763,SHA256=CBAE9E170A9704510B201AC89311D982CC03CEF1A6D408358911CCE296380C04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:52.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FC7233F6D48ADBA34DB972974E51D4,SHA256=6A0ED74DA98236520B5C04D2C254A175176E9F79A69E3521BB347C2FD49C63ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:53.419{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0979F611BD936754A000043EA68B18AD,SHA256=7C771090EFEE88C8543B103EA2DD3D0BFA991AADCACAC8EB0E8400BDB9A49A24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:53.153{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FA9E0DDEAB7D454E018D94417C3150A,SHA256=4709109C1B0C40B5881A10BE36B0EE9B3825D471141202F06C295CC532D63B77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:53.816{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=D3F43FD2F55AC5E25EA69B79294FA3D1,SHA256=0E8BCB28E247EAB78F3C9675844981307CA734C8D54CE6F32FEA3E4CABCADC80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:53.816{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=18AC9BA383FA7A8AC3AEFC6C57A8119C,SHA256=11B5EF12A95D77A2C070A8B95CCF40CA56D85A840C70C953FABDC5042268C663,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:53.815{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=60906210052F70B670CA1281DCFDDB8F,SHA256=10BECF3F621E5AACE4240B50BAE22EBBDB2E96EFEB43B0A06D759FB97D894065,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:53.814{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=97F8A9BC6AF9368D790C86CA77794003,SHA256=DEA92840BC037806AA6CA0EB2AA16112095064D68ABF04B70E6CBDE5F329335B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:53.814{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=A6D88288F1F524BD6E4004072A1C0CAF,SHA256=4770F79A9D48F489E57B847CAB7B1E87B13E6747BD8AB0873B7F0A4283C6C9A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:53.315{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8525059068E26AC36B4F4B5C47576A,SHA256=101FD89458CDF9EA2949E76E44333FA91344C6EF77079D5E56FCD2672ABEA427,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.919{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDB1BF9A9A35B374605478480E9CCD3D,SHA256=5A8B21BB0184C35A86C85FAA98475DB91C085D82246647A26B38B027A8974476,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.778{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87BF023C4353B25E22941172B4B3F0B2,SHA256=90A2F08DED4C7C26F1931EA7041B42B5EBF33B6AF1135ECD1CE764AD501E12D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.434{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF77B932449AD468B38C1746CED3C00,SHA256=0D32FEF0E3A333060AD7C3BC9B8E47CA02EC0E03D24CF48CED22915F297D76A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:54.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D4FC5BEE47B9B8CEA4B7F452024122,SHA256=EE8286D6097AC96009FF8331BC33A1905F43398A6E133A893C0514D1540E6430,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:49.965{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53945-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000047962230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A87-611D-C803-00000000CA01}2472C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:54.044{3BF36828-401B-611D-0D00-00000000CA01}896916C:\Windows\system32\svchost.exe{3BF36828-5A86-611D-C703-00000000CA01}1944C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047962238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:55.981{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=073A08CDFC252A5D8C3E95F385943515,SHA256=E4E5E4B4C6D1BAD0B7D30F9A36FF0D34CA37BC6F53CD2AADAE3D73A4467E626B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:55.762{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DF4D5026EE28DD47F177EFF235A670F,SHA256=A3CA3F6C5BEA4A4FFDDAA49DEDC3A0D14A7082724A9C44F0061EAF85EBB0A2FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:55.528{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6E7D7E7422BD93516EF356C23F55F1,SHA256=71462D00CEC7BF5D1F613C824D7291B2741A4A864BCE67F6C39BC17BA6BDB12E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:00.103{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local59000-false10.0.1.12-8000- 23542300x800000000000000030727562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:55.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D165BAC2F8A9D0D36BD32CE3CF636801,SHA256=CDC9E63781875C8CDB899318A0C0ADC7164395BCA81BA67559E91241455AD9C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000047962235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-08-24 21:37:55.137{3BF36828-401B-611D-1100-00000000CA01}396C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79930-0x4c7bcb5d) 23542300x800000000000000047962241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:56.955{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE32FBBB52B61AC0EC9AD5FC34274C0B,SHA256=9B9DC6C00DA9D74FF30F0328FFBB99A05ED1CCB1B00546D310C174BB53E1F1D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:56.596{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA3256195C44F96ABD81891F0F0A8570,SHA256=7664935EEFF497C950EE8B15CD6B1EBE7760F4446D2397FF7D4FE2F78E99EF49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:56.549{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F3ADFB9EE8B76E895B97E863B0EE0D,SHA256=6D0D78697276C8F95E0EC7D93292E1DDB514368EADB445115321E12F07613F3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:56.412{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DBC27AAC60FDC52C782091A87EF826,SHA256=9D76D385252BC400A055FD24131851D07445B355F3654A30985CAC58A5278736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:57.971{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=549234954A4432B8D5B8EFD04CB648B4,SHA256=B9A48C516E9A900A0F34DA116A78B3CE432D816958AE2E901ECC7E26B5A16EC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:57.596{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26828AA2D4300419D36F6C042C6D4E40,SHA256=9A8506D9677A3A020402EF00A1C06CBEBA74A6AE608462A5284EC1D7F2AE3225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:57.430{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C8AF113C8A37C9BBDA44C2A9DE2E15,SHA256=FF7564811E6C542A014B3941A5834BA6604F3ACFB7D105DE2B00A3069FB47840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:57.580{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF27FBD28E7F4D8C23043440465D945,SHA256=3FE7FA5AA90BC0E3E04FBD0EEC525366DD982A691BDD2AED3F82196F9296DE5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:52.918{3BF36828-401B-611D-1100-00000000CA01}396C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x800000000000000047962247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:58.659{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A880F9DDF314D33EBD5DCA844E4723,SHA256=1801371F994904F86EAA711530C5B747BC61526E1B3C7F7622095F067D62BFC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:58.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F49EF9D9AC2D5C4AA011AA26E0DA49,SHA256=6265CE9249EBB070DD4070BD1B65846B47A054CE1597CE9AD3E4844B082B2FCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:58.596{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C331005C2FFCC08BA05BDD3590991BF,SHA256=E7D078D1D7A2923149EB1DCC4C6DFA457A7063EFBBEF5D2E4E0272F84872D4E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:59.674{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B9A04AC2B83BAA2F9FD44C82106D216,SHA256=8A0E2D20C34F788797B23241B7169D3D2AC0239603AFDF9EE26492A466C2841A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:59.674{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9688A68D9DA8B0173577ACD41AB4AA27,SHA256=D61475294016929FCC7A9F9B020326F77DEF14574F936A3AE1083DB642D4D6B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:37:59.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1532D98594B4156EDF7A6276419428,SHA256=E0E931191058AD4B35E4D91588D5A3EF813A4034293DBAAE1E30B488F983E9F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:55.065{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53946-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047962248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:37:59.049{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65A9D7148ED1B10AFAAC87E2B0CD8CCD,SHA256=C7D150CE17927C385FEC3794681688285AFBBA353B0A2972CC80D4A480245EA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:00.846{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80D7C4E49470FEE411A9F9BABC903CD,SHA256=70461F218ED3958E868CE49CFE27285E0C728A63786C8106F96B78F914436DFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:00.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5F6426C440AAEEBFF8A864DA3BCDA6,SHA256=CDA9EC25EB18591712294A70B9E6FF6B72ED79FAA216D3EA5669FCD074FCE136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:00.034{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D27620AD73EF077E61B8474E41DD6021,SHA256=50240C31BF2654BAB3EC2C2DBD7730D793EDEA10111DE344ED933CB966EFA560,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:00.227{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1F45BE58ACD91A7FD824FDE11D265CF3,SHA256=481D47C7555DE30B1EF91FA94A9788E9ADD90305BD4DCB9D99BDA7AABC7DDA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:05.148{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local59001-false10.0.1.12-8000- 23542300x800000000000000030727571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:01.508{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC9BB5F345F0B8FE5BF0737D87BE61F,SHA256=B9C9F90FD1C47FF9E2B3EC42A0A469FB4CFF546BB44DED59580E895120E7EE42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:01.893{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B203AC114110ACCAD7E292F9894538,SHA256=9A13C905AC4CCD66417EBBA4AAC9E1D3D20CB610E43C3DB70AD080CE2D41674A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:01.174{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E30422E160CBADF4CE6E12EB13F7EAC8,SHA256=9BC3AE3513901399FA967C5D2E2BD5C649A5FAE0AF91FD7F963709E08C23D7F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:02.893{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94C2CDD561407A0BCC3F7C4988D674D,SHA256=EA995B0DA7B719C9382A2DD18F3F283875A1C00A40E9CFD8CE22A122EA1DD79A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:02.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45419CD56A5FBDFC0C1CAB957BCF9BF5,SHA256=6B0548A02B8FC67A78FB1D79822369DA31DA1BBAC85ABA4EA201E8652E185A0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:02.315{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=014670B4BC9B620F22111539BBC0960F,SHA256=77C50DE00282AFC02A4F6DD2BE8E2F96BD43BBC58C56AFEBF390CA2BADFB1529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:03.924{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA2768CB47A78FB1BECA583704EB148,SHA256=194C4CFD55EC13EB39D69173871ADA4C1E029B3D762A3A7D9FE0D9F43988244A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.909{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-66BB-6125-CC00-01000000C801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.909{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.909{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.909{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.909{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.909{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-66BB-6125-CC00-01000000C801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.909{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-66BB-6125-CC00-01000000C801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.904{B81B27B7-66BB-6125-CC00-01000000C801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:03.588{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8B62DA83EDBE84556794D5FE9B31B4,SHA256=7B1D333ADDEF019DBF6772D88796C0F57A70927F901F35B57BA1544FC7E1A079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:03.565{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61C6A5ABFF8A1CB2305F11F5A864520A,SHA256=1473E5032FD26364F531A063B47DCC824ADE7A257CF48119EF06E63704E772C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:04.940{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D274A9A8641D5E4CCA154EC01BBD0D5,SHA256=C73FE211426BCD0E27B766564DECE3CF8CE787915895EAB581275A7F74DCC6FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.612{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DFCF6D0445129E8171ED6503544185,SHA256=4192BC2438A573924AE65EDD5CE87A6596F2CBA2CF349EFA532D57192FE5393A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.611{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-66BC-6125-CD00-01000000C801}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.609{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.609{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.609{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.609{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.609{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-66BC-6125-CD00-01000000C801}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.608{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-66BC-6125-CD00-01000000C801}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.592{B81B27B7-66BC-6125-CD00-01000000C801}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047962261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:04.815{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4AACEFC9135CCA64210EF4E6069B294,SHA256=C27CBEEC931198996EC400E16FDB33802D8D95B20D5BA50D8EDAB76CAD2754F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:00.893{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53947-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000030727582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:04.076{B81B27B7-66BB-6125-CC00-01000000C801}12406612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047962266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:05.940{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A368F9602BE4F4EF0E027662A8630067,SHA256=875C4F39A420178D4ECE35401CB3460DB42B57DCC8B0E1E00E3F44E85076FF2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:05.628{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75500EB55DCA2CE0735B32EE9039F6F2,SHA256=3618ED58EFB99C7747793E4F3BE76184F32D3DCFD14B7E3B7C4E7C2B3E787ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:05.799{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=741692D6DA78F720FE9A8B2EB86B5283,SHA256=AF9160E731A530D5C3E3CF7459E5C65A5FFEFA0D77BAC0D01ECA4D2F172CD781,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:01.940{3BF36828-4019-611D-0B00-00000000CA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53948-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000047962263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:01.940{3BF36828-402C-611D-2900-00000000CA01}2928C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53948-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000030727593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:05.128{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A70ADB1139993ABFDBE8384068F856C,SHA256=11CDFC56DCFA7474AB6214B77A43E5482A85B545C3FA7222DACBFD6780E0A54C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:05.128{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D084F6BB2D5CE4D03FC33392C61269C6,SHA256=2E2908F05A80EF571EC2A3A2659C593F27F2CB161A0BE6343429BD5D2DD675F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:06.955{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1921E22D679FDD5501B2B2EB2323FD,SHA256=A25929736B4C7E959CBBB08E5EF3634BFC4D9238459D3A1AA0CE775A1C023D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:06.646{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74C6F1CACFA8E03DC2586B3D159ACE0,SHA256=6421BA8FB081E02A32DAD22A1B69150E3BC8B4286E9681689A6FC513528B993D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:10.987{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local59002-false10.0.1.12-8000- 23542300x800000000000000047962269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:07.987{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0BBF582D10F1B4F62A5C3F8B3F7B75,SHA256=AA5D79D7041DCDC7143141793CBCF51924F00921050B3636483C65862B7A8526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:07.676{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD90712E8E17EA222998C3CD030F613,SHA256=616D865063DF85E3A4214AC5BDE7D8F159C51EFBDE75FDED5119EC7DBBF73A53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:07.205{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54FB861667B644773657D8BA57920775,SHA256=7BB50B549E7F8031C8C6664B45413B596005F9DE48CB878CAF5C51E9C9B5E467,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:08.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABC68DE7A5263C2C08BCC335F6BA958,SHA256=7ACD0EF4047C52B715AFAC7FE031A304866B00E6BE3FE4CDAA35A3529EB93609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:08.237{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C06512683AE4272882D317279206294,SHA256=E8D5866EEAD091E2AABB24E620867B086829A0B6FADD58BFA0F3EE46B08B6170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:09.708{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E48E44CDD4DF5DE8F629B72303DDAA,SHA256=42A98F76312E76495FF844AB87EEDDD321C7DE7E480AC2445007B83FE79DF4DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:09.393{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=158F4CF3980C99F1C6551917BF363D9C,SHA256=516B3B8EC445CB5D5F92CF48807A3F8216BF385183495845603E581B8638FBBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:09.018{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FA09FB2127F656317D02ADA2FB9DE2,SHA256=05874594881D31F29AB09FBC60BD3B6436552709FB120BE9F3DE1189E32262DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:10.726{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4F6E585EFD4969252649C84365158D,SHA256=BA08C485B1562CCEDED597010437826C9F27DE81C0FCA73B2FAA7C2CBDF4693A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:10.550{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80616A831DFE4234F0CB0F25D224F418,SHA256=40E009B5EBAA161CB74C63D920A31F44D3A40BF4CC5E66216F9251E6273A67B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:06.908{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53949-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047962273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:10.035{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEA24D91D6AD37FC37CFF2F2AEFA062,SHA256=7804C6BAA15C57D2571D8C0E4FFB36B4BBC9ACDD9E1ABE05701DAA181ED3DB20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:11.741{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101B0088D70B1D86ED9D94A265AC3994,SHA256=B0836BFC82EBE5E3ED47D44B8EEABCA1F6744016D538DAA6EC088C9DFB877EB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:11.880{3BF36828-402C-611D-3000-00000000CA01}2220NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:11.770{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8815B1FF45E4BAAD1EC9AFDE5F384569,SHA256=191F11BA0394D49B8711C18EA6DFCAED9F453D663B2CF68C611DD5D28743A730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:11.036{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D4B938F95DBE77A8727212B87B5A82,SHA256=85C9E6E33EB7FAD497CB4E3AF079F0142F2AC76C98FD68283F0563DB32D8AA02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:16.127{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local59003-false10.0.1.12-8000- 23542300x800000000000000030727603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:12.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180B3FECB1B1FC1AFBF110633EF48757,SHA256=C331BA00EA7F947254C398C369FB5EDD1A3F84E6ABDD9551070D41FCDA8DC8C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:12.883{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9836ED9EBD8D5566D945707C780717,SHA256=F8FF1FC0421AD05B379B255F5141FE6126B5558BB5FEECD8EFAA818542019A0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:12.039{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4203EE691EF42E3AAC461FDD4A615090,SHA256=D97C2A21D143B5C98B0CF8EDCC166534CCE0E74EA837DABCFE2FADC4B5787B1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAD457E3CF4DEBAA2EFA8E6481C6BDC,SHA256=4E963DC7A646C03B1729C527AF4BB4F91E6F5F5898B8664832A77EDF1FD02B20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:09.723{3BF36828-402C-611D-3000-00000000CA01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53950-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000047962281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:13.039{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0D5DBBEDF9A3F5AB656090A7604F7B,SHA256=35FD06F3E7675007F115782114BCF37A3CFFB44D25F252328F013867F6EC5C7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.526{B81B27B7-66C5-6125-CE00-01000000C801}53925820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.358{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-66C5-6125-CE00-01000000C801}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.358{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-66C5-6125-CE00-01000000C801}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.358{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.358{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.358{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-66C5-6125-CE00-01000000C801}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.358{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.358{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:13.343{B81B27B7-66C5-6125-CE00-01000000C801}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.825{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7C6E7C741D40DC6C750C5DB3B4DC5E,SHA256=F9A14B2DFE39E474496020897B3286D088DBBD649EB567610141287283BD4F7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:14.399{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F43C03DA1811B18F4E762F0205B9FD,SHA256=32DD3E04A0D94E7C2817F3BADA0337ACA993BADCBFD67ECC5278010E5FABDD9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:14.055{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10F141E48225FF0D5F513D6B9247D97,SHA256=CC0B07B228C28881FF8909F2960E98B9B77C1EE603B2E6B12E84F45841980590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.388{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA933FDDF63405E3BE359D1B5167B9C,SHA256=B1E8DF197FBFB0393E25EE4BD92186D8EAC64B97F4D6F786AA106A370FA800D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.388{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A70ADB1139993ABFDBE8384068F856C,SHA256=11CDFC56DCFA7474AB6214B77A43E5482A85B545C3FA7222DACBFD6780E0A54C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000030727621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.041{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-66C6-6125-CF00-01000000C801}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.041{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.041{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.041{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.041{B81B27B7-4012-611D-0C00-00000000C801}7322056C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.041{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-66C6-6125-CF00-01000000C801}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030727615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.041{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-66C6-6125-CF00-01000000C801}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030727614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:14.026{B81B27B7-66C6-6125-CF00-01000000C801}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030727625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:15.831{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A4D9B96A463E797EFF2992A7A26EC9,SHA256=7DCBE85A4DF400BF38FB475D74FE9D9CBB6DC6C74D8D13B27257344889BDE73C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047962287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:12.055{3BF36828-4037-611D-7100-00000000CA01}4948C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local53951-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000047962286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:15.541{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D48033B785870A5BAAAC9722502BAAFD,SHA256=90AE00A49A9A252B6C8B5931AB235416300887622C0F005493AB8872B16ECE6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:15.070{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CCB7F72D51FF7C3C2A245C44EFC804,SHA256=AD4DD53F147C6623145D4367958AE09E573EEDE959F0577424D068E5C912A39A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:16.893{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35185273858A25AAC0012E882E51F3DA,SHA256=4C1E3E21E18CD0D2EACD219FDF4A4EC932949D6B73FAE0F03EC4C242C9729609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:16.802{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ABE726205A109512492254BA371E0B4,SHA256=6274683F36E8D648F0781ACB151C9C1E9AC0D783335CE162CAE172CB4D9D17E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:16.084{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5C5E5BED4C3E89D7E286B196D2E2D0,SHA256=009FB418E4249D6752E0B6BC27A40AF4B78D11A88BD1DD86E5E2BC64F51895E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:17.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656F07D7A23F3F3485B80BCFA4944734,SHA256=C75E1180BE15F09A18888503774A76025DB074A7D4825516FB088350A5C9887D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:17.115{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE23FA851490190E692687528CD18E6,SHA256=6E6826CE06AB34F62FE17FAD273191D7DDDD4B92E468C9E53A8C5C703CCCA6AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000030727627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:22.108{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local59004-false10.0.1.12-8000- 23542300x800000000000000030727629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:18.930{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE7521F40D2793EB7194D7C47A77494,SHA256=E22F87B69085FDCD5D8202D87C6493D77D98859C472E2C08614F6F0AE35744D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:18.287{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC1753390D1A75E572EE2FF949B4F5A7,SHA256=4A3EEE3539F19E9A99AED777CE0F377C3916E349C64155A96E5E3EDAA7B98069,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:18.131{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E292E43721D1E41C05878FE47EE77F,SHA256=F2EE41A7958AC1312FF872CB55B0936618A88CE4EE7717361B7515CE6F354007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:19.428{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=570C3C9771ADB2379F1A8C9B8A49F0AE,SHA256=4383CA32EADC07E556EB9102E747BC47CE862967C9E1093164FBE7D5EF85FA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047962293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-08-24 21:38:19.162{3BF36828-403F-611D-7A00-00000000CA01}4252NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A081B28CBEAD1832CB4FDC5360182C18,SHA256=286BC4243A847EBBF55FC9925961033B3B35DCF40D8E4ACA0031175F41D1A52C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000030727630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-08-24 21:38:19.476{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space